diff --git a/rules/windows/sysmon/sysmon_renamed_jusched.yml b/rules/windows/sysmon/sysmon_renamed_jusched.yml
new file mode 100644
index 000000000..fa701f9dd
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_renamed_jusched.yml
@@ -0,0 +1,25 @@
+title: Renamed jusched.exe 
+status: experimental
+description: Detects renamed jusched.exe used by cobalt group 
+references:
+    - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
+tags:
+    - attack.t1036 
+    - attack.execution
+    - attack.masquerading
+author: Markus Neis, Swisscom
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Description: Java Update Scheduler
+    selection2:
+        Description: Java(TM) Update Scheduler
+    filter:
+        Image:
+            - '*\\jusched.exe'
+    condition: (selection1 or selection2) and not filter
+falsepositives:
+    - penetration tests, red teaming
+level: high