Serpent Backdoor Payload Execution Via Scheduled Task
Detects post exploitation execution technique of the Serpent backdoor. According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
Sigma rule (View on GitHub)
1title: Serpent Backdoor Payload Execution Via Scheduled Task
2id: d5eb7432-fda4-4bba-a37f-ffa74d9ed639
3status: test
4description: |
5 Detects post exploitation execution technique of the Serpent backdoor.
6 According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method.
7 It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
8references:
9 - https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
10author: '@kostastsale'
11date: 2022-03-21
12tags:
13 - attack.execution
14 - attack.persistence
15 - attack.t1053.005
16 - attack.t1059.006
17 - detection.emerging-threats
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 Image|endswith:
24 - '\cmd.exe'
25 - '\powershell.exe'
26 CommandLine|contains|all:
27 - '[System/EventID='
28 - '/create'
29 - '/delete'
30 - '/ec'
31 - '/so'
32 - '/tn run'
33 condition: selection
34falsepositives:
35 - Unlikely
36level: high
References
Related rules
- ChromeLoader Malware Execution
- Diamond Sleet APT Scheduled Task Creation
- Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
- Schtasks Creation Or Modification With SYSTEM Privileges
- Emotet Loader Execution Via .LNK File