Suspicious Creation with Colorcpl
Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
Sigma rule (View on GitHub)
1title: Suspicious Creation with Colorcpl
2id: e15b518d-b4ce-4410-a9cd-501f23ce4a18
3status: test
4description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
5references:
6 - https://twitter.com/eral4m/status/1480468728324231172?s=20
7author: frack113
8date: 2022-01-21
9modified: 2023-01-05
10tags:
11 - attack.defense-evasion
12 - attack.t1564
13logsource:
14 product: windows
15 category: file_event
16detection:
17 selection:
18 Image|endswith: '\colorcpl.exe'
19 filter_ext:
20 TargetFilename|endswith:
21 - '.icm'
22 - '.gmmp'
23 - '.cdmp'
24 - '.camp'
25 condition: selection and not 1 of filter_*
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Detect Virtualbox Driver Installation OR Starting Of VMs
- PUA - Process Hacker Execution
- PUA - System Informer Execution
- Potentially Suspicious Execution From Parent Process In Public Folder
- Suspicious Executable File Creation