security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml
T

29 lines
793 B
YAML
Raw Blame History

title: Renamed jusched.exe
id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb
status: test
description: Detects renamed jusched.exe used by cobalt group
author: Markus Neis, Swisscom
references:
- https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
date: 2019/06/04
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection1:
Description: Java Update Scheduler
selection2:
Description: Java(TM) Update Scheduler
filter:
Image|endswith:
- '\jusched.exe'
condition: (selection1 or selection2) and not filter
falsepositives:
- Unknown
level: high
tags:
- attack.execution
- attack.defense_evasion
- attack.t1036.003
Reference in New Issue View Git Blame Copy Permalink