T1218.002 Google Chronicle · YARA-L

Detect Control Panel in Google Chronicle

Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files — the latter are renamed DLL files that export a CPlApplet function. Malicious CPL files can be delivered via phishing or executed as part of multi-stage malware. Adversaries may rename malicious DLLs with .cpl extensions and register them under HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Malware families including InvisiMole and Reaver have leveraged this technique.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.002 Control Panel
Canonical reference
https://attack.mitre.org/techniques/T1218/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1218_002_control_panel_cpl_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects abuse of control.exe to proxy execution of malicious CPL payloads (T1218.002)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack = "T1218.002"
    reference = "https://attack.mitre.org/techniques/T1218/002/"

  events:
    // Pattern 1: control.exe loading a CPL file from a suspicious path
    $e1.metadata.event_type = "PROCESS_LAUNCH"
    $e1.principal.process.file.full_path = /(?i)\\control\.exe$/
    (
      $e1.target.process.command_line = /(?i)\.cpl/ and
      (
        $e1.target.process.command_line = /(?i)(temp|appdata|downloads|public|programdata)/
        or $e1.principal.process.file.full_path = /(?i)(winword|excel|outlook|powerpnt|wscript|cscript|mshta|cmd|powershell)\.exe$/
      )
    )

  match:
    $e1 over 24h

  condition:
    $e1
}

rule t1218_002_control_panel_suspicious_child {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects control.exe spawning suspicious child processes (T1218.002)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack = "T1218.002"

  events:
    $e2.metadata.event_type = "PROCESS_LAUNCH"
    $e2.principal.process.file.full_path = /(?i)\\control\.exe$/
    $e2.target.process.file.full_path = /(?i)\\(cmd|powershell|wscript|cscript|rundll32|regsvr32)\.exe$/

  match:
    $e2 over 1h

  condition:
    $e2
}
high severity high confidence

Chronicle YARA-L 2.0 rules detecting T1218.002 Control Panel abuse. Two complementary rules: one for CPL loading from suspicious paths or abnormal parents, one for control.exe spawning suspicious child processes.

Data Sources

Chronicle UDM (Windows Endpoint)Chronicle Forwarder with Sysmon or Windows Event Logs

Required Tables

UDM PROCESS_LAUNCH events

False Positives & Tuning

  • Corporate IT management software that legitimately invokes control.exe with custom CPL applets installed to vendor directories under ProgramData
  • Software that uses rundll32.exe or regsvr32.exe as child processes of control.exe during legitimate CPL applet registration
  • Automated kiosk or digital signage configurations scripted to adjust display settings via control.exe
Download portable Sigma rule (.yml)

Other platforms for T1218.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Control Panel CPL Execution from Command Line

    Expected signal: Sysmon Event ID 1: Process Create with Image=control.exe, CommandLine containing '.cpl'. Security Event ID 4688 with the same information. No child process should be spawned by a legitimate CPL.

  2. Test 2CPL File Executed from Temp Directory

    Expected signal: Sysmon Event ID 11: File Create for update.cpl in Temp. Sysmon Event ID 1: control.exe with Temp path in command line. Security Event ID 4688 for the control.exe process.

  3. Test 3Malicious CPL Registry Registration

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject containing 'Control Panel\Cpls' with the CPL path as data. Security Event ID 4657 (Registry value modified) if object access auditing is enabled.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1218.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1566.001Spearphishing AttachmentT1204.002Malicious FileT1574.002DLL Side-LoadingT1027.009Embedded PayloadsT1112Modify RegistryT1036.004Masquerade Task or Service

Same Tactic: Defense Evasion

Popular Detections