Serpent Backdoor Payload Execution Via Scheduled Task

Detects post exploitation execution technique of the Serpent backdoor. According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.

Sigma rule (View on GitHub)

 1title: Serpent Backdoor Payload Execution Via Scheduled Task
 2id: d5eb7432-fda4-4bba-a37f-ffa74d9ed639
 3status: test
 4description: |
 5    Detects post exploitation execution technique of the Serpent backdoor.
 6    According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method.
 7    It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.    
 8references:
 9    - https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
10author: '@kostastsale'
11date: 2022-03-21
12tags:
13    - attack.execution
14    - attack.persistence
15    - attack.t1053.005
16    - attack.t1059.006
17    - detection.emerging-threats
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        Image|endswith:
24            - '\cmd.exe'
25            - '\powershell.exe'
26        CommandLine|contains|all:
27            - '[System/EventID='
28            - '/create'
29            - '/delete'
30            - '/ec'
31            - '/so'
32            - '/tn run'
33    condition: selection
34falsepositives:
35    - Unlikely
36level: high

References

Related rules

to-top