Adversaries may modify COM registry keys to redirect execution to malicious files in the color profile folder, leveraging trusted system paths to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence mechanisms and early-stage malware activity.
KQL Query
// COM hi-jack via registry
let guids = dynamic(["{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}","{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}","{4590f811-1d3a-11d0-891f-00aa004b2e24}", "{4de225bf-cf59-4cfc-85f7-68b90f185355}", "{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}"]);
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey startswith "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
| where RegistryKey has_any (guids)
| where RegistryValueData has "System32\\spool\\drivers\\color"
id: 9c1331df-9bb3-4b52-b7d7-5a6e9e6d97b4
name: KNOTWEED-COM Registry Key Modified to Point to Color Profile Folder
description: |
'This query identifies modifications to COM registry keys to point to executable files in C:\Windows\System32\spool\drivers\color\'
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceRegistryEvents
tactics:
relevantTechniques:
query: |
// COM hi-jack via registry
let guids = dynamic(["{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}","{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}","{4590f811-1d3a-11d0-891f-00aa004b2e24}", "{4de225bf-cf59-4cfc-85f7-68b90f185355}", "{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}"]);
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey startswith "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
| where RegistryKey has_any (guids)
| where RegistryValueData has "System32\\spool\\drivers\\color"
| Sentinel Table | Notes |
|---|---|
DeviceRegistryEvents | Ensure this data connector is enabled |
Scenario: A system administrator updates the color profile settings via Windows Color Management tool to ensure accurate print output.
Filter/Exclusion: Exclude registry key modifications made by the Windows Color Management application (C:\Windows\System32\mspaint.exe or C:\Windows\System32\colorcpl.cpl).
Scenario: A scheduled task runs to update printer drivers, which includes modifying registry keys in the color profile folder.
Filter/Exclusion: Exclude registry changes initiated by scheduled tasks with the Task Scheduler service (Task Scheduler or schtasks.exe) and associated task names.
Scenario: A legitimate software update (e.g., from a printer manufacturer) modifies registry keys to point to its color profile folder.
Filter/Exclusion: Exclude registry modifications made by known printer or imaging software (e.g., HP Color Management, Canon IJ Printer Driver).
Scenario: A system update or Windows feature installation (e.g., Print Spooler or Windows Imaging Component) alters registry entries in the color profile directory.
Filter/Exclusion: Exclude registry changes made by Windows Update or Windows Installer (msiexec.exe or wuauclt.exe).
Scenario: A third-party application (e.g., a graphic design tool) configures itself to use color profiles stored in the color folder.
Filter/Exclusion: Exclude registry modifications made by known graphic design or imaging applications (e.g., Adobe Photoshop, GIMP, or Corel PaintShop Pro).