kqlMITfrom Azure/Azure-Sentinel
PE file dropped in Color Profile Folder
'This query looks for writes of PE files to C:\Windows\System32\spool\drivers\color\. This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the folder should be monitored. Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/'
Quality
90
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourceDetections/DeviceFileEvents/PEfiledroppedinColorDriversFolder.yaml
DeviceFileEvents
| where ActionType =~ "FileCreated"
| where FolderPath has "C:\\Windows\\System32\\spool\\drivers\\color\\"
| where FileName endswith ".exe" or FileName endswith ".dll"