T1218.002 Control Panel Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousCPLPaths = dynamic(["Temp", "AppData", "Downloads", "Public", "ProgramData"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "control.exe"
| where ProcessCommandLine has ".cpl"
| extend SuspiciousPath = ProcessCommandLine has_any (SuspiciousCPLPaths)
| extend NetworkPath = ProcessCommandLine has_any ("http://", "https://", "\\\\")
| extend OfficeParent = InitiatingProcessFileName has_any ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe")
| extend ScriptParent = InitiatingProcessFileName has_any ("wscript.exe", "cscript.exe", "mshta.exe", "cmd.exe", "powershell.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, SuspiciousPath, NetworkPath, OfficeParent, ScriptParent
| sort by Timestamp desc
union (
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where InitiatingProcessFileName =~ "control.exe"
  | where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe")
  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
           InitiatingProcessFileName, InitiatingProcessCommandLine
  | sort by Timestamp desc
)

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate software installers that register and open CPL files from ProgramData or temp directories
Third-party Control Panel applets for hardware management (display drivers, audio controllers, VPN clients)
Enterprise IT tools that use CPL files for configuration management or deployment
Antivirus or security software that includes CPL-based management interfaces

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\control.exe" OR ParentImage="*\\control.exe")
| eval HasCPL=if(match(CommandLine, "\.cpl"), 1, 0)
| eval SuspiciousPath=if(match(CommandLine, "(Temp|AppData|Downloads|Public|ProgramData)"), 1, 0)
| eval OfficeParent=if(match(ParentImage, "(winword|excel|outlook|powerpnt)\.exe"), 1, 0)
| eval ScriptParent=if(match(ParentImage, "(wscript|cscript|mshta|cmd|powershell)\.exe"), 1, 0)
| eval SuspiciousChild=if(match(Image, "(cmd|powershell|wscript|cscript|rundll32|regsvr32)\.exe") AND ParentImage="*\\control.exe", 1, 0)
| eval RiskScore=HasCPL + SuspiciousPath + OfficeParent + ScriptParent + SuspiciousChild
| where RiskScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, HasCPL, SuspiciousPath, OfficeParent, ScriptParent, SuspiciousChild, RiskScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate software installers that register and open CPL files from ProgramData or temp directories
Third-party Control Panel applets for hardware management (display drivers, audio controllers, VPN clients)
Enterprise IT tools that use CPL files for configuration management or deployment
Antivirus or security software that includes CPL-based management interfaces

Elastic Security (EQL)

eql

sequence by host.id with maxspan=2m
  [process where event.type == "start" and process.name : "control.exe" and
   (process.args : "*.cpl" or process.command_line : "*.cpl") and
   (process.command_line : ("*Temp*", "*AppData*", "*Downloads*", "*Public*", "*ProgramData*") or
    process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe",
                            "wscript.exe", "cscript.exe", "mshta.exe", "cmd.exe", "powershell.exe"))]
until [process where event.type == "start" and process.parent.name : "control.exe" and
       process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe")]

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate IT admin tools invoking control.exe with custom CPL files stored in non-standard paths during software deployment
Software installers that temporarily extract CPL files to AppData or Temp directories during legitimate setup routines
Group Policy or MDM-managed scripts that call control.exe as part of system configuration workflows

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
       sourceip, username, hostname,
       "Process Name", "Command", "Parent Process Name", "Parent Command"
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (LOWER("Process Name") LIKE '%control.exe%' OR LOWER("Parent Process Name") LIKE '%control.exe%')
  AND (
    (LOWER("Process Name") LIKE '%control.exe%' AND LOWER("Command") LIKE '%.cpl%')
    OR
    (LOWER("Parent Process Name") LIKE '%control.exe%' AND
     LOWER("Process Name") IN ('cmd.exe','powershell.exe','wscript.exe','cscript.exe','rundll32.exe','regsvr32.exe'))
  )
  AND (LOWER("Command") LIKE '%temp%'
    OR LOWER("Command") LIKE '%appdata%'
    OR LOWER("Command") LIKE '%downloads%'
    OR LOWER("Command") LIKE '%public%'
    OR LOWER("Command") LIKE '%programdata%'
    OR LOWER("Parent Process Name") LIKE '%winword.exe%'
    OR LOWER("Parent Process Name") LIKE '%excel.exe%'
    OR LOWER("Parent Process Name") LIKE '%outlook.exe%'
    OR LOWER("Parent Process Name") LIKE '%wscript.exe%'
    OR LOWER("Parent Process Name") LIKE '%powershell.exe%'
  )
  AND LAST 24 HOURS
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Sysmon via QRadar Universal DSM

Required Tables

events

False Positives

Enterprise software suites that ship legitimate CPL files extracted to temporary directories during installation
Help desk remote management tools that invoke control.exe panels programmatically
Automated build or test systems running control.exe in scripted environments as part of QA pipelines

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| where (%"EventID" = "1" OR %"EventCode" = "1" OR %"EventID" = "4688")
| where (toLowerCase(%"Image") matches "*\\control.exe" OR toLowerCase(%"ParentImage") matches "*\\control.exe")
| eval has_cpl = if (toLowerCase(%"CommandLine") matches "*.cpl*", 1, 0)
| eval suspicious_path = if (
    toLowerCase(%"CommandLine") matches "*(temp|appdata|downloads|public|programdata)*", 1, 0)
| eval office_parent = if (
    toLowerCase(%"ParentImage") matches "*(winword|excel|outlook|powerpnt).exe*", 1, 0)
| eval script_parent = if (
    toLowerCase(%"ParentImage") matches "*(wscript|cscript|mshta|cmd|powershell).exe*", 1, 0)
| eval suspicious_child = if (
    toLowerCase(%"ParentImage") matches "*\\control.exe" and
    toLowerCase(%"Image") matches "*(cmd|powershell|wscript|cscript|rundll32|regsvr32).exe*", 1, 0)
| eval risk_score = has_cpl + suspicious_path + office_parent + script_parent + suspicious_child
| where risk_score > 0
| fields _messageTime, %"host", %"User", %"Image", %"CommandLine", %"ParentImage", %"ParentCommandLine", has_cpl, suspicious_path, office_parent, script_parent, suspicious_child, risk_score
| sort by - _messageTime

high severity high confidence

Data Sources

Sumo Logic Windows Source (Sysmon) Sumo Logic Installed Collector with Windows Event Log source

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Windows Update or patch management systems that deploy CPL files to ProgramData as part of legitimate updates
Security software (DLP, endpoint agents) that installs control panel applets to user AppData directories
IT scripts that automate display or accessibility settings via control.exe from managed script directories

Google Chronicle / SecOps

yaral

rule t1218_002_control_panel_cpl_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects abuse of control.exe to proxy execution of malicious CPL payloads (T1218.002)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack = "T1218.002"
    reference = "https://attack.mitre.org/techniques/T1218/002/"

  events:
    // Pattern 1: control.exe loading a CPL file from a suspicious path
    $e1.metadata.event_type = "PROCESS_LAUNCH"
    $e1.principal.process.file.full_path = /(?i)\\control\.exe$/
    (
      $e1.target.process.command_line = /(?i)\.cpl/ and
      (
        $e1.target.process.command_line = /(?i)(temp|appdata|downloads|public|programdata)/
        or $e1.principal.process.file.full_path = /(?i)(winword|excel|outlook|powerpnt|wscript|cscript|mshta|cmd|powershell)\.exe$/
      )
    )

  match:
    $e1 over 24h

  condition:
    $e1
}

rule t1218_002_control_panel_suspicious_child {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects control.exe spawning suspicious child processes (T1218.002)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack = "T1218.002"

  events:
    $e2.metadata.event_type = "PROCESS_LAUNCH"
    $e2.principal.process.file.full_path = /(?i)\\control\.exe$/
    $e2.target.process.file.full_path = /(?i)\\(cmd|powershell|wscript|cscript|rundll32|regsvr32)\.exe$/

  match:
    $e2 over 1h

  condition:
    $e2
}

high severity high confidence

Data Sources

Chronicle UDM (Windows Endpoint) Chronicle Forwarder with Sysmon or Windows Event Logs

Required Tables

UDM PROCESS_LAUNCH events

False Positives

Corporate IT management software that legitimately invokes control.exe with custom CPL applets installed to vendor directories under ProgramData
Software that uses rundll32.exe or regsvr32.exe as child processes of control.exe during legitimate CPL applet registration
Automated kiosk or digital signage configurations scripted to adjust display settings via control.exe

CrowdStrike LogScale (CQL)

cql

// T1218.002 - control.exe CPL abuse detection
#event_simpleName = ProcessRollup2
| FileName = /(?i)^control\.exe$/
  OR ParentBaseFileName = /(?i)^control\.exe$/
| eval HasCPL = if(CommandLine = /(?i)\.cpl/, "true", "false")
| eval SuspiciousPath = if(
    CommandLine = /(?i)(temp|appdata|downloads|public|programdata)/,
    "true", "false")
| eval OfficeParent = if(
    ParentBaseFileName = /(?i)^(winword|excel|outlook|powerpnt)\.exe$/,
    "true", "false")
| eval ScriptParent = if(
    ParentBaseFileName = /(?i)^(wscript|cscript|mshta|cmd|powershell)\.exe$/,
    "true", "false")
| eval SuspiciousChild = if(
    ParentBaseFileName = /(?i)^control\.exe$/ AND
    FileName = /(?i)^(cmd|powershell|wscript|cscript|rundll32|regsvr32)\.exe$/,
    "true", "false")
| where HasCPL = "true" OR SuspiciousPath = "true" OR OfficeParent = "true" OR ScriptParent = "true" OR SuspiciousChild = "true"
| groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine,
           HasCPL, SuspiciousPath, OfficeParent, ScriptParent, SuspiciousChild],
          function=count(aid, as=EventCount))
| sort(EventCount, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 events) Falcon Data Replicator to LogScale

Required Tables

#event_simpleName=ProcessRollup2

False Positives

System administrators using control.exe with custom CPL files distributed via SCCM or Intune to AppData or ProgramData paths
Legitimate third-party applications that register CPL applets via scripts using wscript.exe or cmd.exe as part of their installation routine
Desktop customization tools or accessibility utilities that spawn control.exe with CPL arguments from non-standard locations during configuration

Control Panel

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections