Adversaries may drop malicious PE files in the color profile folder to evade detection by hiding malicious activity within legitimate system directories. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence mechanisms that leverage trusted system locations.
KQL Query
// PE file dropped in C:\Windows\System32\spool\drivers\color\
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated"
| where FolderPath has "C:\\Windows\\System32\\spool\\drivers\\color\\"
| where FileName endswith ".exe" or FileName endswith ".dll"
id: cfdb2ccb-0eb3-47ed-9220-d56795906fdc
name: KNOTWEED-PE File Dropped in Color Profile Folder
description: |
'This query identifies modifications to COM registry keys to point to executable files in C:\Windows\System32\spool\drivers\color\'
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
tactics:
relevantTechniques:
query: |
// PE file dropped in C:\Windows\System32\spool\drivers\color\
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated"
| where FolderPath has "C:\\Windows\\System32\\spool\\drivers\\color\\"
| where FileName endswith ".exe" or FileName endswith ".dll"
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled Print Job Configuration
Description: A legitimate scheduled task is configured to generate a print job that requires a color profile, which is stored in the color profile folder.
Filter/Exclusion: Exclude files with the .icc or .icm extension, as these are standard color profile files.
Example Filter: file_name NOT IN ('*.icc', '*.icm')
Scenario: Windows Update or System Maintenance Task
Description: A system maintenance task or Windows Update process may temporarily modify registry keys to use color profiles during system configuration.
Filter/Exclusion: Exclude processes associated with svchost.exe, wuauserv.exe, or taskhost.exe.
Example Filter: process_name NOT IN ('svchost.exe', 'wuauserv.exe', 'taskhost.exe')
Scenario: Adobe Color Profile Management Tool
Description: Adobe applications (e.g., Photoshop) may install or update color profiles in the color profile folder as part of their color management workflow.
Filter/Exclusion: Exclude files created by Adobe tools or with known Adobe file extensions (e.g., .icc, .icm, .profile).
Example Filter: file_name NOT IN ('*.icc', '*.icm', '*.profile') AND process_name NOT IN ('Photoshop.exe', 'Adobe Color Profile Manager.exe')
Scenario: Printer Driver Installation
Description: Installing a new printer driver may involve placing color profile files in the color profile folder as part of the driver installation process.
Filter/Exclusion: Exclude files created by known printer manufacturers (e.g., HP, Canon, Epson) or associated with driver installation.
Example Filter: file_name NOT IN ('*.icc', '*.icm') AND `process_name NOT