Attack technique
Technique name: Masquerading file directory using colorcpl.exe
MITRE ATT&CK
- Tactic: Defense Evasion
- Technique: Masquerading: Match Legitimate Name or Location (T1036.005)
Technique description
The colorcpl.exe executable is a command-line utility that launches the Windows Color Management interface. It operates simply by opening the interface when no parameters are specified. However, when a file parameter is provided, colorcpl.exe copies the file to the c:\windows\system32\spool\drivers\color directory. This feature might be exploited to conceal files and bypass security measures by executing files from unconventional directory locations.
Insights from threat intelligence
The method seems distinctive, yet it's frequently employed by the APT group "Guildma". Apart from Guildma, there seems to be no reference to any other groups utilizing this technique as of now.
Seen in the wild since: 2019
Threat hunting theses breakdown
Suspicious indirect execution using conhost.exe
Relevant data sources: EDR Telemetry Logs
Thesis explanation
The thesis aims to detect suspicious utilization of colorcpl.exe, which includes unexpected file parameters such as executables and scripts. Based on Axon research, colorcpl.exe binary is usually executed without target file parameters, except Icon file extensions, such as icc, icm, cdm, gmmp.
Blind spots
- An attacker can pass a masqueraded binary with the icon file extensions: icc, icm, cdm, gmmp
Recommended investigation flow
- Investigate the target parameter provided to the colorcpl.exe process
- Investigate file operations made by the colorcpl.exe process to gain additional metadata on the target file, such as hash, and original file type.
- If the provided file parameter is suspected to be with an icon extension, confirm it isn’t with a masqueraded extension before closing the incident.
- Does the binary or the file that used to be masqueraded into c:\windows\system32\spool\drivers\color have been executed? If so, Investigate its actions.
- Investigate the process tree (child processes).
- Investigate remote network connections made by the process.
- Investigate file operations, such as additional files that have been dropped to disk by the process.
Hunters content
Detection: File Directory Masquerading Using colorcpl.exe