← Library
sigmaDRL-1.1from SigmaHQ/sigma

Drop Binaries Into Spool Drivers Color Folder

Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below

Quality
98
FP risk
Forks
0
Views
0
Rule sourcerules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml
title: Drop Binaries Into Spool Drivers Color Folder
id: ce7066a6-508a-42d3-995b-2952c65dc2ce
status: test
description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below
references:
    - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
tags:
    - attack.defense-evasion
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\System32\spool\drivers\color\'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
            - '.sys'
    condition: selection
falsepositives:
    - Unknown
level: medium