Adversaries may drop malicious binaries into the spool drivers color folder to evade detection and execute payloads under the guise of legitimate print services. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence tactics that leverage trusted system directories.
Detection Rule
title: Drop Binaries Into Spool Drivers Color Folder
id: ce7066a6-508a-42d3-995b-2952c65dc2ce
status: test
description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below
references:
- https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
tags:
- attack.defense-evasion
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\spool\drivers\color\'
TargetFilename|endswith:
- '.dll'
- '.exe'
- '.sys'
condition: selection
falsepositives:
- Unknown
level: medium
imFileEvent
| where TargetFileName startswith "C:\\Windows\\System32\\spool\\drivers\\color\\" and (TargetFileName endswith ".dll" or TargetFileName endswith ".exe" or TargetFileName endswith ".sys")Scenario: Scheduled Job for Printer Spooler Maintenance
Description: A legitimate scheduled task runs to clean up or maintain the printer spooler, which may involve writing temporary binary files to the \Spool\Drivers\Color folder.
Filter/Exclusion: Exclude files created by the Print Spooler service or tasks with a known name like PrintQueueCleanup or SpoolerMaintenance.
Scenario: Windows Update or Driver Installation
Description: Windows Update or driver installation processes may temporarily place binary files in the \Spool\Drivers\Color folder as part of the installation process.
Filter/Exclusion: Exclude files with extensions like .inf, .cat, or .sys, or files created by the Windows Update service or Setup.exe.
Scenario: Admin Task for Printer Driver Configuration
Description: An administrator may manually configure printer drivers, which could involve copying or generating binary files into the \Spool\Drivers\Color folder.
Filter/Exclusion: Exclude files created by processes with the Administrators group or with a known admin tool like PrintUI or Add Printer Wizard.
Scenario: Antivirus or Endpoint Protection Scan
Description: Some endpoint protection tools may temporarily store binary files in the \Spool\Drivers\Color folder during a scan or quarantine operation.
Filter/Exclusion: Exclude files created by known antivirus processes like MpCmdRun.exe, MsMpEng.exe, or Windows Defender.
Scenario: Custom Script for Printer Management
Description: A custom script or tool used for printer management (e.g., PDFFormat or PrintManager) may write binary files to the \Spool\Drivers\Color folder as part of its operation.
Filter/Exclusion: Exclude