Detect Control Panel in Elastic Security
Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files — the latter are renamed DLL files that export a CPlApplet function. Malicious CPL files can be delivered via phishing or executed as part of multi-stage malware. Adversaries may rename malicious DLLs with .cpl extensions and register them under HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Malware families including InvisiMole and Reaver have leveraged this technique.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.002 Control Panel
- Canonical reference
- https://attack.mitre.org/techniques/T1218/002/
Elastic Detection Query
sequence by host.id with maxspan=2m
[process where event.type == "start" and process.name : "control.exe" and
(process.args : "*.cpl" or process.command_line : "*.cpl") and
(process.command_line : ("*Temp*", "*AppData*", "*Downloads*", "*Public*", "*ProgramData*") or
process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe",
"wscript.exe", "cscript.exe", "mshta.exe", "cmd.exe", "powershell.exe"))]
until [process where event.type == "start" and process.parent.name : "control.exe" and
process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe")]
Detects abuse of control.exe to proxy execution of malicious CPL payloads. Flags control.exe loading CPL files from suspicious paths or spawned by Office/script interpreters, followed by suspicious child process execution.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT admin tools invoking control.exe with custom CPL files stored in non-standard paths during software deployment
- Software installers that temporarily extract CPL files to AppData or Temp directories during legitimate setup routines
- Group Policy or MDM-managed scripts that call control.exe as part of system configuration workflows
Other platforms for T1218.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Control Panel CPL Execution from Command Line
Expected signal: Sysmon Event ID 1: Process Create with Image=control.exe, CommandLine containing '.cpl'. Security Event ID 4688 with the same information. No child process should be spawned by a legitimate CPL.
- Test 2CPL File Executed from Temp Directory
Expected signal: Sysmon Event ID 11: File Create for update.cpl in Temp. Sysmon Event ID 1: control.exe with Temp path in command line. Security Event ID 4688 for the control.exe process.
- Test 3Malicious CPL Registry Registration
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject containing 'Control Panel\Cpls' with the CPL path as data. Security Event ID 4657 (Registry value modified) if object access auditing is enabled.
References (7)
- https://attack.mitre.org/techniques/T1218/002/
- https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
- https://blog.trendmicro.com/trendlabs-security-intelligence/control-panel-files-used-as-malicious-attachments/
- https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/
- https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md
- https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx
Unlock Pro Content
Get the full detection package for T1218.002 including response playbook, investigation guide, and atomic red team tests.