Adversaries may drop PE files in the Color Profile Folder to evade detection and execute malicious code under the guise of legitimate printing or imaging software. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware persistence and execution attempts that leverage trusted system directories.
KQL Query
DeviceFileEvents
| where ActionType =~ "FileCreated"
| where FolderPath has "C:\\Windows\\System32\\spool\\drivers\\color\\"
| where FileName endswith ".exe" or FileName endswith ".dll"
id: f68a5046-b7eb-4f69-9519-1e99708bb9e0
name: PE file dropped in Color Profile Folder
description: |
'This query looks for writes of PE files to C:\Windows\System32\spool\drivers\color\.
This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the folder should be monitored.
Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/'
severity: Medium
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
relevantTechniques:
- T1203
tags:
- KNOTWEED
query: |
DeviceFileEvents
| where ActionType =~ "FileCreated"
| where FolderPath has "C:\\Windows\\System32\\spool\\drivers\\color\\"
| where FileName endswith ".exe" or FileName endswith ".dll"
entityMappings:
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileName
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DeviceName
version: 1.0.1
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Pete Bryan
support:
tier: Community
categories:
domains: [ "Security - Others" ]| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: A legitimate system update or patching tool (e.g., Windows Update or Microsoft Endpoint Configuration Manager) places a PE file in the color profile folder during a scheduled maintenance task.
Filter/Exclusion: Check for file hashes against known good update files or use a filter like file_hash in (known_update_hashes) or process_name contains "WindowsUpdate".
Scenario: A printer driver installation or update process (e.g., from HP, Canon, or Epson) temporarily writes a PE file to the color profile folder during driver installation.
Filter/Exclusion: Filter by process_name contains "hpqprint" or process_name contains "epson" or check for file_name contains "printer_driver".
Scenario: A system administrator manually moves a PE file (e.g., a custom script or tool) to the color profile folder for testing or configuration purposes.
Filter/Exclusion: Use a filter like user_account contains "admin" or process_name contains "explorer.exe" with a note that the user is a known admin performing a legitimate task.
Scenario: A scheduled job (e.g., via Task Scheduler) runs a legitimate script or application that writes a PE file to the color profile folder as part of a routine configuration or reporting task.
Filter/Exclusion: Filter by task_name contains "reporting" or task_name contains "configuration" or check for process_name contains "schtasks.exe".
Scenario: A third-party application (e.g., Adobe ColorSync or a color calibration tool) places a PE file in the color profile folder as part of its operation.
Filter/Exclusion: Use a filter like process_name contains "AdobeColorSync" or file_name contains "colorsync" or check for file_hash in (known_colorsync_hashes).