T1218.002 IBM QRadar · QRadar

Detect Control Panel in IBM QRadar

Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files — the latter are renamed DLL files that export a CPlApplet function. Malicious CPL files can be delivered via phishing or executed as part of multi-stage malware. Adversaries may rename malicious DLLs with .cpl extensions and register them under HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Malware families including InvisiMole and Reaver have leveraged this technique.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.002 Control Panel
Canonical reference
https://attack.mitre.org/techniques/T1218/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
       sourceip, username, hostname,
       "Process Name", "Command", "Parent Process Name", "Parent Command"
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (LOWER("Process Name") LIKE '%control.exe%' OR LOWER("Parent Process Name") LIKE '%control.exe%')
  AND (
    (LOWER("Process Name") LIKE '%control.exe%' AND LOWER("Command") LIKE '%.cpl%')
    OR
    (LOWER("Parent Process Name") LIKE '%control.exe%' AND
     LOWER("Process Name") IN ('cmd.exe','powershell.exe','wscript.exe','cscript.exe','rundll32.exe','regsvr32.exe'))
  )
  AND (LOWER("Command") LIKE '%temp%'
    OR LOWER("Command") LIKE '%appdata%'
    OR LOWER("Command") LIKE '%downloads%'
    OR LOWER("Command") LIKE '%public%'
    OR LOWER("Command") LIKE '%programdata%'
    OR LOWER("Parent Process Name") LIKE '%winword.exe%'
    OR LOWER("Parent Process Name") LIKE '%excel.exe%'
    OR LOWER("Parent Process Name") LIKE '%outlook.exe%'
    OR LOWER("Parent Process Name") LIKE '%wscript.exe%'
    OR LOWER("Parent Process Name") LIKE '%powershell.exe%'
  )
  AND LAST 24 HOURS
ORDER BY devicetime DESC
high severity medium confidence

AQL detection for control.exe CPL abuse. Queries both Security Event Log and Sysmon sources for control.exe with CPL arguments from suspicious paths or suspicious parent/child process relationships.

Data Sources

Microsoft Windows Security Event Log (QRadar DSM)Sysmon via QRadar Universal DSM

Required Tables

events

False Positives & Tuning

  • Enterprise software suites that ship legitimate CPL files extracted to temporary directories during installation
  • Help desk remote management tools that invoke control.exe panels programmatically
  • Automated build or test systems running control.exe in scripted environments as part of QA pipelines
Download portable Sigma rule (.yml)

Other platforms for T1218.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Control Panel CPL Execution from Command Line

    Expected signal: Sysmon Event ID 1: Process Create with Image=control.exe, CommandLine containing '.cpl'. Security Event ID 4688 with the same information. No child process should be spawned by a legitimate CPL.

  2. Test 2CPL File Executed from Temp Directory

    Expected signal: Sysmon Event ID 11: File Create for update.cpl in Temp. Sysmon Event ID 1: control.exe with Temp path in command line. Security Event ID 4688 for the control.exe process.

  3. Test 3Malicious CPL Registry Registration

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject containing 'Control Panel\Cpls' with the CPL path as data. Security Event ID 4657 (Registry value modified) if object access auditing is enabled.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1218.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1566.001Spearphishing AttachmentT1204.002Malicious FileT1574.002DLL Side-LoadingT1027.009Embedded PayloadsT1112Modify RegistryT1036.004Masquerade Task or Service

Same Tactic: Defense Evasion

Popular Detections