SigmaHQ/rules/windows/process_creation/win_renamed_jusched.yml

30 lines
902 B
YAML
Raw Normal View History

2020-03-25 13:36:34 +00:00
title: Renamed jusched.exe
status: experimental
id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb
description: Detects renamed jusched.exe used by cobalt group
references:
- https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
tags:
- attack.execution
- attack.defense_evasion
- attack.t1036 # an old one
- attack.t1036.003
2020-03-25 13:36:34 +00:00
author: Markus Neis, Swisscom
date: 2019/06/04
modified: 2020/09/06
2020-03-25 13:36:34 +00:00
logsource:
category: process_creation
product: windows
detection:
selection1:
Description: Java Update Scheduler
selection2:
Description: Java(TM) Update Scheduler
filter:
Image|endswith:
- '\jusched.exe'
condition: (selection1 or selection2) and not filter
falsepositives:
- penetration tests, red teaming
level: high