Date: 09/19/2024
Severity: High
Summary
Detects the post-exploitation execution method of the Serpent backdoor. According to Proofpoint, one of the commands executed by the backdoor involved creating a temporary scheduled task through an unconventional approach. It generates a fake Windows event along with a trigger, which executes the payload once the event is created.
Indicators of Compromise (IOC) List
ParentImage | '\wscript.exe' |
ParentCommandLine | '\AppData\Local\Temp' '.zip' '.zip' 'update' '.js' 'Chrome' 'Edge' 'Firefox' 'Opera' 'Brave' 'Vivaldi' |
Image | '\cmd.exe' '\powershell.exe' '\pwsh.exe' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (resourcename = "Windows Security" AND eventtype = "4688" ) AND processname In ("\cmd.exe","\powershell.exe") AND message In ("[System/EventID=","/create","/delete","/ec","/so","/tn run") |
Detection Query 2 | technologygroup = "EDR" AND processname In ("\cmd.exe","\powershell.exe") AND message In ("[System/EventID=","/create","/delete","/ec","/so","/tn run") |
Detection Query 3 | (resourcename = "Sysmon" AND eventtype = "1" ) AND image In ("\cmd.exe","\powershell.exe") AND commandline In ("[System/EventID=","/create","/delete","/ec","/so","/tn run") |
Detection Query 4 | technologygroup = "EDR" AND image In ("\cmd.exe","\powershell.exe") AND commandline In ("[System/EventID=","/create","/delete","/ec","/so","/tn run") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml