valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
fdcba84fc8
SigmaHQ/rules/windows/sysmon/sysmon_renamed_jusched.yml

27 lines
839 B
YAML
Raw Normal View History

Renamed jusched https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
2019-06-06 12:03:02 +00:00
title: Renamed jusched.exe
status: experimental
Missing ID, wrong tag
2020-01-31 06:32:28 +00:00
id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb
Renamed jusched https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
2019-06-06 12:03:02 +00:00
description: Detects renamed jusched.exe used by cobalt group
references:
- https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
tags:
- attack.t1036
- attack.execution
author: Markus Neis, Swisscom
Added date
2020-01-31 06:21:02 +00:00
date: 2019/06/04
Renamed jusched https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
2019-06-06 12:03:02 +00:00
logsource:
category: process_creation
product: windows
detection:
selection1:
Description: Java Update Scheduler
selection2:
Description: Java(TM) Update Scheduler
filter:
fix: escaped backslash
2020-02-29 09:12:59 +00:00
Image|endswith:
- '\jusched.exe'
Renamed jusched https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
2019-06-06 12:03:02 +00:00
condition: (selection1 or selection2) and not filter
falsepositives:
- penetration tests, red teaming
level: high
Reference in New Issue Copy Permalink