Serpent Backdoor Payload Execution Via Scheduled Task

    Date: 09/19/2024

    Severity: High

    Summary

    Detects the post-exploitation execution method of the Serpent backdoor. According to Proofpoint, one of the commands executed by the backdoor involved creating a temporary scheduled task through an unconventional approach. It generates a fake Windows event along with a trigger, which executes the payload once the event is created.

    Indicators of Compromise (IOC) List

    ParentImage

    '\wscript.exe'

    ParentCommandLine

    '\AppData\Local\Temp'

    '.zip'

    '.zip'

    'update'

    '.js'

    'Chrome'

    'Edge'

    'Firefox'

    'Opera'

    'Brave' 

    'Vivaldi'

    Image

    '\cmd.exe'

    '\powershell.exe'

    '\pwsh.exe'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (resourcename = "Windows Security"  AND eventtype = "4688"  ) AND processname In ("\cmd.exe","\powershell.exe") AND message In ("[System/EventID=","/create","/delete","/ec","/so","/tn run")  

    Detection Query 2

    technologygroup = "EDR" AND processname In ("\cmd.exe","\powershell.exe") AND message In ("[System/EventID=","/create","/delete","/ec","/so","/tn run")  

    Detection Query 3

    (resourcename = "Sysmon"  AND eventtype = "1"  )  AND image In ("\cmd.exe","\powershell.exe") AND commandline In ("[System/EventID=","/create","/delete","/ec","/so","/tn run")  

    Detection Query 4

    technologygroup = "EDR" AND image In ("\cmd.exe","\powershell.exe") AND commandline In ("[System/EventID=","/create","/delete","/ec","/so","/tn run")  

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml


    Tags

    SigmaMalwareBackdoor

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags