Serpent Backdoor Payload Execution Via Scheduled Task

calendar Oct 23, 2025 · attack.privilege-escalation attack.execution attack.persistence attack.t1053.005 attack.t1059.006 detection.emerging-threats  ·
Share on: linkedin copy

Detects post exploitation execution technique of the Serpent backdoor. According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.

Sigma rule (View on GitHub)

 1title: Serpent Backdoor Payload Execution Via Scheduled Task
 2id: d5eb7432-fda4-4bba-a37f-ffa74d9ed639
 3status: test
 4description: |
 5    Detects post exploitation execution technique of the Serpent backdoor.
 6    According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method.
 7    It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.    
 8references:
 9    - https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
10author: '@kostastsale'
11date: 2022-03-21
12tags:
13    - attack.privilege-escalation
14    - attack.execution
15    - attack.persistence
16    - attack.t1053.005
17    - attack.t1059.006
18    - detection.emerging-threats
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        Image|endswith:
25            - '\cmd.exe'
26            - '\powershell.exe'
27        CommandLine|contains|all:
28            - '[System/EventID='
29            - '/create'
30            - '/delete'
31            - '/ec'
32            - '/so'
33            - '/tn run'
34    condition: selection
35falsepositives:
36    - Unlikely
37level: high

References

Related rules

to-top