sigmamediumHunting

Drop Binaries Into Spool Drivers Color Folder

Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below

Detection Query

selection:
  TargetFilename|startswith: C:\Windows\System32\spool\drivers\color\
  TargetFilename|endswith:
    - .dll
    - .exe
    - .sys
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-07-28

Data Sources

windowsFile Events

Platforms

windows

References

https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/

Tags

attack.defense-evasion

Raw Content

title: Drop Binaries Into Spool Drivers Color Folder
id: ce7066a6-508a-42d3-995b-2952c65dc2ce
status: test
description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below
references:
    - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
tags:
    - attack.defense-evasion
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\System32\spool\drivers\color\'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
            - '.sys'
    condition: selection
falsepositives:
    - Unknown
level: medium