Suspicious File Creation with Colorcpl

Rule added on 30th April, 2024

Rule type:

Correlation

Rule description:

Colorcpl.exe is a command line tool to manage the color profiles and display settings using the Windows Color Management Panel. If it is executed without any parameters, the colorcpl.exe command will just open the tool and copy the arbitrary file to c:\windows\system32\spool\drivers\color\ folder. By doing so, the attackers can bypass the security controls.

Impact:

It can impact the organizations in the following ways:

• Unauthorized file creation with colorcpl can lead to data theft.
• Unauthorized modification can lead to data compromise
• Privelege escalation

Data source:

Windows:

Required configuration: The rules is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0002- Execution

Techniques: T1059- Command and Scripting Interpreter

Sub Techniques: T1059.005- Visual Basic, T1059.007- JavaScript

Criteria:

( Process name ends with "Windows\System32\colorcpl.exe" OR Process name ends with "Windows\SysWow64\colorcpl.exe" OR Process name ends with "WINNT\System32\colorcpl.exe" )

"Colorcpl.exe" is located into two standard directories within the Windows folder i.e. "System 32" or "System 64". If the process is found in either of these locations, it is considered legitimate. In case if there is any discrepancy in the location or in the process name, it could be considered suspicious.

When to enable this rule:

Enabling this rule will help you meet the security standards' requirements listed below:

Security standards (NIST CSF 2.0):

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're notified when a suspicious Colorcpl command has being executed. This empowers you to use corrective actions, such as deploying FIM tools.

Known false positives: This event may be generated by administrators for managing the color profiles of printers, monitors, and other devices connected to the system.

Next steps:

When this alert is triggered, the following measures can be implemented:

• Identification: Identify the alert as a new incident or within an ongoing incident.
• Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
• Response: Respond promptly by initiating an automated workflow to cease the malicious process.
• Implement File Integrity Monitoring (FIM): Use FIM tools to monitor file system events including the ones with Colorcpl.