title: Renamed jusched.exe 
status: experimental
id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb
description: Detects renamed jusched.exe used by cobalt group 
references:
    - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
tags:
    - attack.t1036 
    - attack.execution
author: Markus Neis, Swisscom
date: 2019/06/04
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        Description: Java Update Scheduler
    selection2:
        Description: Java(TM) Update Scheduler
    filter:
        Image|endswith:
            - '\jusched.exe'
    condition: (selection1 or selection2) and not filter
falsepositives:
    - penetration tests, red teaming
level: high