T1218.002 CrowdStrike LogScale · LogScale

Detect Control Panel in CrowdStrike LogScale

Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files — the latter are renamed DLL files that export a CPlApplet function. Malicious CPL files can be delivered via phishing or executed as part of multi-stage malware. Adversaries may rename malicious DLLs with .cpl extensions and register them under HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Malware families including InvisiMole and Reaver have leveraged this technique.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.002 Control Panel
Canonical reference
https://attack.mitre.org/techniques/T1218/002/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1218.002 - control.exe CPL abuse detection
#event_simpleName = ProcessRollup2
| FileName = /(?i)^control\.exe$/
  OR ParentBaseFileName = /(?i)^control\.exe$/
| eval HasCPL = if(CommandLine = /(?i)\.cpl/, "true", "false")
| eval SuspiciousPath = if(
    CommandLine = /(?i)(temp|appdata|downloads|public|programdata)/,
    "true", "false")
| eval OfficeParent = if(
    ParentBaseFileName = /(?i)^(winword|excel|outlook|powerpnt)\.exe$/,
    "true", "false")
| eval ScriptParent = if(
    ParentBaseFileName = /(?i)^(wscript|cscript|mshta|cmd|powershell)\.exe$/,
    "true", "false")
| eval SuspiciousChild = if(
    ParentBaseFileName = /(?i)^control\.exe$/ AND
    FileName = /(?i)^(cmd|powershell|wscript|cscript|rundll32|regsvr32)\.exe$/,
    "true", "false")
| where HasCPL = "true" OR SuspiciousPath = "true" OR OfficeParent = "true" OR ScriptParent = "true" OR SuspiciousChild = "true"
| groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine,
           HasCPL, SuspiciousPath, OfficeParent, ScriptParent, SuspiciousChild],
          function=count(aid, as=EventCount))
| sort(EventCount, order=desc)
high severity high confidence

CrowdStrike LogScale (CQL) detection for T1218.002. Queries ProcessRollup2 events for control.exe with CPL arguments from suspicious directories, abnormal parent processes, or spawning suspicious child processes.

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 events)Falcon Data Replicator to LogScale

Required Tables

#event_simpleName=ProcessRollup2

False Positives & Tuning

  • System administrators using control.exe with custom CPL files distributed via SCCM or Intune to AppData or ProgramData paths
  • Legitimate third-party applications that register CPL applets via scripts using wscript.exe or cmd.exe as part of their installation routine
  • Desktop customization tools or accessibility utilities that spawn control.exe with CPL arguments from non-standard locations during configuration
Download portable Sigma rule (.yml)

Other platforms for T1218.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Control Panel CPL Execution from Command Line

    Expected signal: Sysmon Event ID 1: Process Create with Image=control.exe, CommandLine containing '.cpl'. Security Event ID 4688 with the same information. No child process should be spawned by a legitimate CPL.

  2. Test 2CPL File Executed from Temp Directory

    Expected signal: Sysmon Event ID 11: File Create for update.cpl in Temp. Sysmon Event ID 1: control.exe with Temp path in command line. Security Event ID 4688 for the control.exe process.

  3. Test 3Malicious CPL Registry Registration

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject containing 'Control Panel\Cpls' with the CPL path as data. Security Event ID 4657 (Registry value modified) if object access auditing is enabled.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1218.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1566.001Spearphishing AttachmentT1204.002Malicious FileT1574.002DLL Side-LoadingT1027.009Embedded PayloadsT1112Modify RegistryT1036.004Masquerade Task or Service

Same Tactic: Defense Evasion

Popular Detections