Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. COM Registry Key Modified to Point to File in Color Profile Folder

COM Registry Key Modified to Point to File in Color Profile Folder

Back
Ided8c9153-6f7a-4602-97b4-48c336b299e1
RulenameCOM Registry Key Modified to Point to File in Color Profile Folder
DescriptionThis query looks for changes to COM registry keys to point to files in C:\Windows\System32\spool\drivers\color\.

This can be used to enable COM hijacking for persistence.

Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
SeverityMedium
TacticsPersistence
TechniquesT1574
Required data connectorsMicrosoftThreatProtection
SecurityEvents
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml
Version1.1.1
Arm templateed8c9153-6f7a-4602-97b4-48c336b299e1.json
Deploy To Azure
let guids = dynamic(["{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}","{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}","{4590f811-1d3a-11d0-891f-00aa004b2e24}", "{4de225bf-cf59-4cfc-85f7-68b90f185355}", "{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}"]);
  let mde_data = DeviceRegistryEvents
  | where ActionType =~ "RegistryValueSet"
  | where RegistryKey contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
  | where RegistryKey has_any (guids)
  | where RegistryValueData has "System32\\spool\\drivers\\color";
  let event_data = SecurityEvent
  | where EventID == 4657
  | where ObjectName contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
  | where ObjectName has_any (guids)
  | where NewValue has "System32\\spool\\drivers\\color"
  | extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectUserName, InitiatingProcessAccountDomain = SubjectDomainName;
  union mde_data, event_data
  | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)

requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceRegistryEvents
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml
triggerThreshold: 0
description: |
  'This query looks for changes to COM registry keys to point to files in C:\Windows\System32\spool\drivers\color\.
    This can be used to enable COM hijacking for persistence.
    Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/'  
tags:
- KNOTWEED
relevantTechniques:
- T1574
queryPeriod: 1d
name: COM Registry Key Modified to Point to File in Color Profile Folder
entityMappings:
- entityType: RegistryKey
  fieldMappings:
  - columnName: RegistryKey
    identifier: Key
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: NTDomain
- entityType: Process
  fieldMappings:
  - columnName: InitiatingProcessFileName
    identifier: ProcessId
- entityType: Account
  fieldMappings:
  - columnName: InitiatingProcessAccountName
    identifier: Name
  - columnName: InitiatingProcessAccountName
    identifier: NTDomain
queryFrequency: 1d
metadata:
  author:
    name: Microsoft Security Research
  support:
    tier: Community
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
triggerOperator: gt
kind: Scheduled
tactics:
- Persistence
severity: Medium
version: 1.1.1
query: |
  let guids = dynamic(["{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}","{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}","{4590f811-1d3a-11d0-891f-00aa004b2e24}", "{4de225bf-cf59-4cfc-85f7-68b90f185355}", "{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}"]);
    let mde_data = DeviceRegistryEvents
    | where ActionType =~ "RegistryValueSet"
    | where RegistryKey contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
    | where RegistryKey has_any (guids)
    | where RegistryValueData has "System32\\spool\\drivers\\color";
    let event_data = SecurityEvent
    | where EventID == 4657
    | where ObjectName contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
    | where ObjectName has_any (guids)
    | where NewValue has "System32\\spool\\drivers\\color"
    | extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectUserName, InitiatingProcessAccountDomain = SubjectDomainName;
    union mde_data, event_data
    | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
    | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)  
id: ed8c9153-6f7a-4602-97b4-48c336b299e1