Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. PE file dropped in Color Profile Folder

PE file dropped in Color Profile Folder

Back
Idf68a5046-b7eb-4f69-9519-1e99708bb9e0
RulenamePE file dropped in Color Profile Folder
DescriptionThis query looks for writes of PE files to C:\Windows\System32\spool\drivers\color\.

This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the folder should be monitored.

Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
SeverityMedium
TacticsExecution
TechniquesT1203
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/PEfiledroppedinColorDriversFolder.yaml
Version1.0.1
Arm templatef68a5046-b7eb-4f69-9519-1e99708bb9e0.json
Deploy To Azure
DeviceFileEvents
  | where ActionType =~ "FileCreated"
  | where FolderPath has "C:\\Windows\\System32\\spool\\drivers\\color\\" 
  | where FileName endswith ".exe" or FileName endswith ".dll"

queryPeriod: 1d
query: |
  DeviceFileEvents
    | where ActionType =~ "FileCreated"
    | where FolderPath has "C:\\Windows\\System32\\spool\\drivers\\color\\" 
    | where FileName endswith ".exe" or FileName endswith ".dll"  
name: PE file dropped in Color Profile Folder
entityMappings:
- fieldMappings:
  - columnName: FileName
    identifier: Name
  entityType: File
- fieldMappings:
  - columnName: DeviceName
    identifier: HostName
  entityType: Host
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/DeviceFileEvents/PEfiledroppedinColorDriversFolder.yaml
tags:
- KNOTWEED
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
description: |
  'This query looks for writes of PE files to C:\Windows\System32\spool\drivers\color\.
    This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the folder should be monitored.
    Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/'  
kind: Scheduled
version: 1.0.1
metadata:
  author:
    name: Pete Bryan
  categories:
    domains:
    - Security - Others
  support:
    tier: Community
  source:
    kind: Community
queryFrequency: 1d
severity: Medium
relevantTechniques:
- T1203
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
id: f68a5046-b7eb-4f69-9519-1e99708bb9e0