title: Renamed jusched.exe 
status: experimental
description: Detects renamed jusched.exe used by cobalt group 
references:
    - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
tags:
    - attack.t1036 
    - attack.execution
    - attack.masquerading
author: Markus Neis, Swisscom
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        Description: Java Update Scheduler
    selection2:
        Description: Java(TM) Update Scheduler
    filter:
        Image:
            - '*\\jusched.exe'
    condition: (selection1 or selection2) and not filter
falsepositives:
    - penetration tests, red teaming
level: high