The hypothesis is that an adversary is leveraging the colorcpl.exe process to covertly copy malicious files into the system32 directory, potentially establishing persistence or executing payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats that exploit this technique to evade traditional detection methods.
Detection Rule
title: Suspicious Creation with Colorcpl
id: e15b518d-b4ce-4410-a9cd-501f23ce4a18
status: test
description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
references:
- https://twitter.com/eral4m/status/1480468728324231172?s=20
author: frack113
date: 2022-01-21
modified: 2023-01-05
tags:
- attack.defense-evasion
- attack.t1564
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\colorcpl.exe'
filter_ext:
TargetFilename|endswith:
- '.icm'
- '.gmmp'
- '.cdmp'
- '.camp'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFilePath endswith "\\colorcpl.exe" and (not((TargetFileName endswith ".icm" or TargetFileName endswith ".gmmp" or TargetFileName endswith ".cdmp" or TargetFileName endswith ".camp")))Scenario: A system administrator is using Color Management Tool (part of Windows) to install a new color profile.
Filter/Exclusion: Check for the presence of colorcpl.exe in the system’s known good applications list or verify the file’s digital signature.
Additional Context: The tool is legitimate and often used in enterprise environments for printer color calibration.
Scenario: A scheduled task is configured to run a script that generates a file in the c:\windows\system32\spool\drivers\color\ directory as part of a regular maintenance process.
Filter/Exclusion: Exclude tasks that are registered in the Task Scheduler with known legitimate names or paths.
Additional Context: Use the Task Scheduler log to identify and whitelist such tasks.
Scenario: A printer driver installation process is executing, which includes copying color profile files to the c:\windows\system32\spool\drivers\color\ directory.
Filter/Exclusion: Exclude files that are associated with known printer manufacturers (e.g., HP, Canon, Epson) and are part of a standard driver installation.
Additional Context: Check the file hash against known good driver files from trusted vendors.
Scenario: A third-party application (e.g., Adobe ColorSync) is copying color profiles to the system directory as part of its normal operation.
Filter/Exclusion: Exclude files that match the known file names and hashes of the third-party application.
Additional Context: Verify the application’s digital signature and ensure it’s from a trusted source.
Scenario: A Windows Update or Group Policy deployment is copying color profile files to the system directory during an OS update.
Filter/Exclusion: Exclude files that are created during known update cycles or are associated with Windows Update or