Drop Binaries Into Spool Drivers Color Folder
Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color" as seen in the blog referenced below
Sigma rule (View on GitHub)
1title: Drop Binaries Into Spool Drivers Color Folder
2id: ce7066a6-508a-42d3-995b-2952c65dc2ce
3status: test
4description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below
5references:
6 - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/07/28
9tags:
10 - attack.defense_evasion
11logsource:
12 product: windows
13 category: file_event
14detection:
15 selection:
16 TargetFilename|startswith: 'C:\Windows\System32\spool\drivers\color\'
17 TargetFilename|endswith:
18 - '.dll'
19 - '.exe'
20 - '.sys'
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Created And Deleted Within A Close Time Frame
- Account Tampering - Suspicious Failed Logon Reasons