ManageEngine Endpoint Central Dctask64.EXE Potential Abuse

Severity: high
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1055.001` Process Injection: Dynamic-link Library Injection
Defense Evasion	`T1055.001` Process Injection: Dynamic-link Library Injection

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Hashes|contains: 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
Hashes|contains: 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
Hashes|contains: 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
Hashes|contains: 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'
Image|endswith: '\dctask64.exe'

Stage 2: `all of selection_cli`

or:
CommandLine|contains: ' executecmd64 '
CommandLine|contains: ' injectDll '
CommandLine|contains: ' invokeexe '

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`executecmd64` `injectDll` `invokeexe`
`Hashes`	match	`IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA` corpus 2 (sigma 2) `IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD` corpus 2 (sigma 2) `IMPHASH=F1039CED4B91572AB7847D26032E6BBF` corpus 2 (sigma 2) `IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3` corpus 2 (sigma 2)
`Image`	ends_with	`\dctask64.exe` corpus 2 (sigma 2)