COM Registry Key Modified to Point to File in Color Profile Folder

Back


Id	ed8c9153-6f7a-4602-97b4-48c336b299e1
Rulename	COM Registry Key Modified to Point to File in Color Profile Folder
Description	This query looks for changes to COM registry keys to point to files in C:\Windows\System32\spool\drivers\color\. This can be used to enable COM hijacking for persistence. Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
Severity	Medium
Tactics	Persistence
Techniques	T1574
Required data connectors	MicrosoftThreatProtection SecurityEvents
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml
Version	1.1.1
Arm template	ed8c9153-6f7a-4602-97b4-48c336b299e1.json

KQL

let guids = dynamic(["{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}","{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}","{4590f811-1d3a-11d0-891f-00aa004b2e24}", "{4de225bf-cf59-4cfc-85f7-68b90f185355}", "{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}"]);
  let mde_data = DeviceRegistryEvents
  | where ActionType =~ "RegistryValueSet"
  | where RegistryKey contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
  | where RegistryKey has_any (guids)
  | where RegistryValueData has "System32\\spool\\drivers\\color";
  let event_data = SecurityEvent
  | where EventID == 4657
  | where ObjectName contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
  | where ObjectName has_any (guids)
  | where NewValue has "System32\\spool\\drivers\\color"
  | extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectUserName, InitiatingProcessAccountDomain = SubjectDomainName;
  union mde_data, event_data
  | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)

YAML

relevantTechniques:
- T1574
name: COM Registry Key Modified to Point to File in Color Profile Folder
requiredDataConnectors:
- dataTypes:
  - DeviceRegistryEvents
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - SecurityEvents
  connectorId: SecurityEvents
entityMappings:
- fieldMappings:
  - identifier: Key
    columnName: RegistryKey
  entityType: RegistryKey
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: NTDomain
    columnName: HostNameDomain
  entityType: Host
- fieldMappings:
  - identifier: ProcessId
    columnName: InitiatingProcessFileName
  entityType: Process
- fieldMappings:
  - identifier: Name
    columnName: InitiatingProcessAccountName
  - identifier: NTDomain
    columnName: InitiatingProcessAccountName
  entityType: Account
triggerThreshold: 0
id: ed8c9153-6f7a-4602-97b4-48c336b299e1
tactics:
- Persistence
version: 1.1.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml
queryPeriod: 1d
kind: Scheduled
tags:
- KNOTWEED
metadata:
  categories:
    domains:
    - Security - Others
  author:
    name: Microsoft Security Research
  support:
    tier: Community
  source:
    kind: Community
queryFrequency: 1d
severity: Medium
description: |
  'This query looks for changes to COM registry keys to point to files in C:\Windows\System32\spool\drivers\color\.
    This can be used to enable COM hijacking for persistence.
    Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/'  
query: |
  let guids = dynamic(["{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}","{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}","{4590f811-1d3a-11d0-891f-00aa004b2e24}", "{4de225bf-cf59-4cfc-85f7-68b90f185355}", "{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}"]);
    let mde_data = DeviceRegistryEvents
    | where ActionType =~ "RegistryValueSet"
    | where RegistryKey contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
    | where RegistryKey has_any (guids)
    | where RegistryValueData has "System32\\spool\\drivers\\color";
    let event_data = SecurityEvent
    | where EventID == 4657
    | where ObjectName contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
    | where ObjectName has_any (guids)
    | where NewValue has "System32\\spool\\drivers\\color"
    | extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectUserName, InitiatingProcessAccountDomain = SubjectDomainName;
    union mde_data, event_data
    | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
    | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ed8c9153-6f7a-4602-97b4-48c336b299e1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ed8c9153-6f7a-4602-97b4-48c336b299e1')]",
      "properties": {
        "alertRuleTemplateName": "ed8c9153-6f7a-4602-97b4-48c336b299e1",
        "customDetails": null,
        "description": "'This query looks for changes to COM registry keys to point to files in C:\\Windows\\System32\\spool\\drivers\\color\\.\n  This can be used to enable COM hijacking for persistence.\n  Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/'\n",
        "displayName": "COM Registry Key Modified to Point to File in Color Profile Folder",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "RegistryKey",
            "fieldMappings": [
              {
                "columnName": "RegistryKey",
                "identifier": "Key"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "InitiatingProcessFileName",
                "identifier": "ProcessId"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "InitiatingProcessAccountName",
                "identifier": "Name"
              },
              {
                "columnName": "InitiatingProcessAccountName",
                "identifier": "NTDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml",
        "query": "let guids = dynamic([\"{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\",\"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\",\"{4590f811-1d3a-11d0-891f-00aa004b2e24}\", \"{4de225bf-cf59-4cfc-85f7-68b90f185355}\", \"{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\"]);\n  let mde_data = DeviceRegistryEvents\n  | where ActionType =~ \"RegistryValueSet\"\n  | where RegistryKey contains \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID\"\n  | where RegistryKey has_any (guids)\n  | where RegistryValueData has \"System32\\\\spool\\\\drivers\\\\color\";\n  let event_data = SecurityEvent\n  | where EventID == 4657\n  | where ObjectName contains \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID\"\n  | where ObjectName has_any (guids)\n  | where NewValue has \"System32\\\\spool\\\\drivers\\\\color\"\n  | extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectUserName, InitiatingProcessAccountDomain = SubjectDomainName;\n  union mde_data, event_data\n  | extend HostName = tostring(split(DeviceName, \".\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\n  | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "tags": [
          "KNOTWEED"
        ],
        "techniques": [
          "T1574"
        ],
        "templateVersion": "1.1.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}