title: Renamed ZOHO Dctask64
author: Florian Roth
date: 2020/01/28
description: Detects a renamed dctask64.exe used for process injection, command execution,
  process creation with a signed binary by ZOHO Corporation
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Imphash: 6834B1B94E49701D77CCB3C0895E1AFD
  SELECTION_3:
    Image: '*\dctask64.exe'
  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
falsepositives:
- Unknown yet
fields:
- CommandLine
- ParentCommandLine
- ParentImage
id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b
level: high
logsource:
  category: process_creation
  product: windows
modified: 2020/08/28
references:
- https://twitter.com/gN3mes1s/status/1222088214581825540
- https://twitter.com/gN3mes1s/status/1222095963789111296
- https://twitter.com/gN3mes1s/status/1222095371175911424
status: experimental
tags:
- attack.defense_evasion
- attack.t1036
- attack.t1055.001
- attack.t1202
- attack.t1218