security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Renamed jusched

Browse Source 
https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
This commit is contained in:
Unknown
2019-06-06 14:03:02 +02:00
parent 5037f7bf54
commit 7b0ecde334
1 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/sysmon/sysmon_renamed_jusched.yml
+25
View File
@@ -0,0 +1,25 @@
title: Renamed jusched.exe
status: experimental
description: Detects renamed jusched.exe used by cobalt group
references:
- https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
tags:
- attack.t1036
- attack.execution
- attack.masquerading
author: Markus Neis, Swisscom
logsource:
category: process_creation
product: windows
detection:
selection1:
Description: Java Update Scheduler
selection2:
Description: Java(TM) Update Scheduler
filter:
Image:
- '*\\jusched.exe'
condition: (selection1 or selection2) and not filter
falsepositives:
- penetration tests, red teaming
level: high