Detectionhightest

Suspicious Creation with Colorcpl

Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Fri Jan 21Updated Thu Jan 05e15b518d-b4ce-4410-a9cd-501f23ce4a18windows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        Image|endswith: '\colorcpl.exe'
    filter_ext:
        TargetFilename|endswith:
            - '.icm'
            - '.gmmp'
            - '.cdmp'
            - '.camp'
    condition: selection and not 1 of filter_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

twitter.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1564 · Hide Artifacts

Rule Metadata

Rule ID

e15b518d-b4ce-4410-a9cd-501f23ce4a18

Status

test

Level

high

Type

Detection

Created

Fri Jan 21

Modified

Thu Jan 05

Author

François Hubaut

Path

rules/windows/file/file_event/file_event_win_susp_colorcpl.yml

Raw Tags

attack.defense-evasionattack.t1564

View on GitHub