Renamed ZOHO Dctask64 Execution

Severity: high
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1055.001` Process Injection: Dynamic-link Library Injection
Defense Evasion	`T1036` Masquerading, `T1055.001` Process Injection: Dynamic-link Library Injection, `T1202` Indirect Command Execution, `T1218` System Binary Proxy Execution

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `selection`

or:
Hashes|contains: 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
Hashes|contains: 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
Hashes|contains: 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
Hashes|contains: 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'

Stage 2: `not 1 of filter_main_legit_name`

Image|endswith: '\dctask64.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Hashes`	match	`IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA` corpus 2 (sigma 2) `IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD` corpus 2 (sigma 2) `IMPHASH=F1039CED4B91572AB7847D26032E6BBF` corpus 2 (sigma 2) `IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3` corpus 2 (sigma 2)
`Image`	ends_with	`\dctask64.exe` corpus 2 (sigma 2)