Adversaries may modify COM registry keys to point to files in the color profile folder to establish persistence via COM hijacking. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential persistence mechanisms and mitigate advanced threats.
KQL Query
let guids = dynamic(["{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}","{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}","{4590f811-1d3a-11d0-891f-00aa004b2e24}", "{4de225bf-cf59-4cfc-85f7-68b90f185355}", "{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}"]);
let mde_data = DeviceRegistryEvents
| where ActionType =~ "RegistryValueSet"
| where RegistryKey contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
| where RegistryKey has_any (guids)
| where RegistryValueData has "System32\\spool\\drivers\\color";
let event_data = SecurityEvent
| where EventID == 4657
| where ObjectName contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
| where ObjectName has_any (guids)
| where NewValue has "System32\\spool\\drivers\\color"
| extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectUserName, InitiatingProcessAccountDomain = SubjectDomainName;
union mde_data, event_data
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
id: ed8c9153-6f7a-4602-97b4-48c336b299e1
name: COM Registry Key Modified to Point to File in Color Profile Folder
description: |
'This query looks for changes to COM registry keys to point to files in C:\Windows\System32\spool\drivers\color\.
This can be used to enable COM hijacking for persistence.
Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/'
severity: Medium
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceRegistryEvents
- connectorId: SecurityEvents
dataTypes:
- SecurityEvents
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1574
tags:
- KNOTWEED
query: |
let guids = dynamic(["{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}","{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}","{4590f811-1d3a-11d0-891f-00aa004b2e24}", "{4de225bf-cf59-4cfc-85f7-68b90f185355}", "{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}"]);
let mde_data = DeviceRegistryEvents
| where ActionType =~ "RegistryValueSet"
| where RegistryKey contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
| where RegistryKey has_any (guids)
| where RegistryValueData has "System32\\spool\\drivers\\color";
let event_data = SecurityEvent
| where EventID == 4657
| where ObjectName contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
| where ObjectName has_any (guids)
| where NewValue has "System32\\spool\\drivers\\color"
| extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectUserName, InitiatingProcessAccountDomain = SubjectDomainName;
union mde_data, event_data
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
entityMappings:
- entityType: RegistryKey
fieldMappings:
- identifier: Key
columnName: RegistryKey
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: DeviceName
- identifier: HostName
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: InitiatingProcessFileName
- entityType: Account
fieldMappings:
- identifier: Name
columnName: InitiatingProcessAccountName
- identifier: NTDomain
columnName: InitiatingProcessAccountName
version: 1.1.1
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - Others" ]| Sentinel Table | Notes |
|---|---|
DeviceRegistryEvents | Ensure this data connector is enabled |
SecurityEvent | Ensure this data connector is enabled |
Scenario: Scheduled Print Driver Update Job
Description: A legitimate scheduled task runs a script to update color profile drivers, which may modify registry keys in the color profile folder.
Filter/Exclusion: Check for ProcessName = "schtasks.exe" or CommandLine containing "update" or "driver". Exclude processes associated with print services (e.g., spoolsv.exe).
Scenario: Adobe Color Profile Sync Tool
Description: Adobe applications may modify COM registry keys as part of synchronizing color profiles across systems.
Filter/Exclusion: Filter by ProcessName = "AdobeColorSyncTool.exe" or check for CommandLine containing "Adobe" or "colorsync".
Scenario: Windows Update or System File Checker (SFC) Repair
Description: During system repairs or updates, Windows may modify registry entries in the color profile folder as part of restoring or updating system files.
Filter/Exclusion: Exclude events where ProcessName = "wuauserv.exe" or "sfc.exe", or check for EventID = 6008 (system crash dump) or EventID = 6006 (system event log).
Scenario: IT Admin Manual Registry Edit for Color Profile Configuration
Description: An administrator manually edits registry keys to configure color profiles for a specific application or user.
Filter/Exclusion: Filter by User = "Administrator" or User = "Domain Admins", and check for CommandLine containing "regedit" or "reg".
Scenario: Third-Party Color Management Software Installation
Description: A legitimate color management tool (e.g., ColorSync, X-Rite, or Pantone) may modify COM registry keys during installation.
Filter/Exclusion: Exclude processes