Suspicious Creation with Colorcpl

 1title: Suspicious Creation with Colorcpl
 2id: e15b518d-b4ce-4410-a9cd-501f23ce4a18
 3status: test
 4description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
 5references:
 6    - https://twitter.com/eral4m/status/1480468728324231172?s=20
 7author: frack113
 8date: 2022/01/21
 9modified: 2023/01/05
10tags:
11    - attack.defense_evasion
12    - attack.t1564
13logsource:
14    product: windows
15    category: file_event
16detection:
17    selection:
18        Image|endswith: '\colorcpl.exe'
19    filter_ext:
20        TargetFilename|endswith:
21            - '.icm'
22            - '.gmmp'
23            - '.cdmp'
24            - '.camp'
25    condition: selection and not 1 of filter_*
26falsepositives:
27    - Unknown
28level: high

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• Detect Virtualbox Driver Installation OR Starting Of VMs
• Parent in Public Folder Suspicious Process
• Sysmon Configuration Error
• ISO, VHD, LNK or IMG File Extracted from Zip (Sysmon)
• Suspicious Process Execution in PerfLogs Directory