Renamed Jusched.EXE Execution
Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group
Sigma rule (View on GitHub)
1title: Renamed Jusched.EXE Execution
2id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb
3status: test
4description: Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group
5references:
6 - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
7author: Markus Neis, Swisscom
8date: 2019/06/04
9modified: 2023/02/03
10tags:
11 - attack.execution
12 - attack.defense_evasion
13 - attack.t1036.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Description:
20 - Java Update Scheduler
21 - Java(TM) Update Scheduler
22 filter:
23 Image|endswith: '\jusched.exe'
24 condition: selection and not filter
25falsepositives:
26 - Unknown
27level: high
References
-
%PDF-1.7 %âãÏÓ 431 0 obj endobj xref 431 316 0000000016 00000 n 0000007994 00000 n 0000008139 00000 n 0000008175 00000 n 0000009101 00000 n 0000009548 00000 n 0000009662 00000 n 0000010165 00000 n ...
Read More
Related rules
- Renamed Autohotkey Binary
- Microsoft Workflow Compiler Execution
- Run PowerShell Script from Redirected Input Stream
- Flash Player Update from Suspicious Location
- Suspicious Start-Process PassThru