COM Registry Key Modified to Point to File in Color Profile Folder
Id | ed8c9153-6f7a-4602-97b4-48c336b299e1 |
Rulename | COM Registry Key Modified to Point to File in Color Profile Folder |
Description | This query looks for changes to COM registry keys to point to files in C:\Windows\System32\spool\drivers\color\. This can be used to enable COM hijacking for persistence. Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ |
Severity | Medium |
Tactics | Persistence |
Techniques | T1574 |
Required data connectors | MicrosoftThreatProtection SecurityEvents |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml |
Version | 1.1.1 |
Arm template | ed8c9153-6f7a-4602-97b4-48c336b299e1.json |
let guids = dynamic(["{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}","{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}","{4590f811-1d3a-11d0-891f-00aa004b2e24}", "{4de225bf-cf59-4cfc-85f7-68b90f185355}", "{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}"]);
let mde_data = DeviceRegistryEvents
| where ActionType =~ "RegistryValueSet"
| where RegistryKey contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
| where RegistryKey has_any (guids)
| where RegistryValueData has "System32\\spool\\drivers\\color";
let event_data = SecurityEvent
| where EventID == 4657
| where ObjectName contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
| where ObjectName has_any (guids)
| where NewValue has "System32\\spool\\drivers\\color"
| extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectUserName, InitiatingProcessAccountDomain = SubjectDomainName;
union mde_data, event_data
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
queryFrequency: 1d
description: |
'This query looks for changes to COM registry keys to point to files in C:\Windows\System32\spool\drivers\color\.
This can be used to enable COM hijacking for persistence.
Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/'
severity: Medium
version: 1.1.1
relevantTechniques:
- T1574
name: COM Registry Key Modified to Point to File in Color Profile Folder
triggerThreshold: 0
kind: Scheduled
query: |
let guids = dynamic(["{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}","{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}","{4590f811-1d3a-11d0-891f-00aa004b2e24}", "{4de225bf-cf59-4cfc-85f7-68b90f185355}", "{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}"]);
let mde_data = DeviceRegistryEvents
| where ActionType =~ "RegistryValueSet"
| where RegistryKey contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
| where RegistryKey has_any (guids)
| where RegistryValueData has "System32\\spool\\drivers\\color";
let event_data = SecurityEvent
| where EventID == 4657
| where ObjectName contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
| where ObjectName has_any (guids)
| where NewValue has "System32\\spool\\drivers\\color"
| extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectUserName, InitiatingProcessAccountDomain = SubjectDomainName;
union mde_data, event_data
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceRegistryEvents
- connectorId: SecurityEvents
dataTypes:
- SecurityEvents
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains:
- Security - Others
tactics:
- Persistence
tags:
- KNOTWEED
id: ed8c9153-6f7a-4602-97b4-48c336b299e1
queryPeriod: 1d
entityMappings:
- fieldMappings:
- columnName: RegistryKey
identifier: Key
entityType: RegistryKey
- fieldMappings:
- columnName: DeviceName
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: HostNameDomain
identifier: NTDomain
entityType: Host
- fieldMappings:
- columnName: InitiatingProcessFileName
identifier: ProcessId
entityType: Process
- fieldMappings:
- columnName: InitiatingProcessAccountName
identifier: Name
- columnName: InitiatingProcessAccountName
identifier: NTDomain
entityType: Account
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ed8c9153-6f7a-4602-97b4-48c336b299e1')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ed8c9153-6f7a-4602-97b4-48c336b299e1')]",
"properties": {
"alertRuleTemplateName": "ed8c9153-6f7a-4602-97b4-48c336b299e1",
"customDetails": null,
"description": "'This query looks for changes to COM registry keys to point to files in C:\\Windows\\System32\\spool\\drivers\\color\\.\n This can be used to enable COM hijacking for persistence.\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/'\n",
"displayName": "COM Registry Key Modified to Point to File in Color Profile Folder",
"enabled": true,
"entityMappings": [
{
"entityType": "RegistryKey",
"fieldMappings": [
{
"columnName": "RegistryKey",
"identifier": "Key"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "HostNameDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "InitiatingProcessFileName",
"identifier": "ProcessId"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingProcessAccountName",
"identifier": "Name"
},
{
"columnName": "InitiatingProcessAccountName",
"identifier": "NTDomain"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/COMRegistryKeyModifiedtoPointtoFileinColorDrivers.yaml",
"query": "let guids = dynamic([\"{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\",\"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\",\"{4590f811-1d3a-11d0-891f-00aa004b2e24}\", \"{4de225bf-cf59-4cfc-85f7-68b90f185355}\", \"{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\"]);\n let mde_data = DeviceRegistryEvents\n | where ActionType =~ \"RegistryValueSet\"\n | where RegistryKey contains \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID\"\n | where RegistryKey has_any (guids)\n | where RegistryValueData has \"System32\\\\spool\\\\drivers\\\\color\";\n let event_data = SecurityEvent\n | where EventID == 4657\n | where ObjectName contains \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID\"\n | where ObjectName has_any (guids)\n | where NewValue has \"System32\\\\spool\\\\drivers\\\\color\"\n | extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectUserName, InitiatingProcessAccountDomain = SubjectDomainName;\n union mde_data, event_data\n | extend HostName = tostring(split(DeviceName, \".\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\n | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"tags": [
"KNOTWEED"
],
"techniques": [
"T1574"
],
"templateVersion": "1.1.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}