Detect Control Panel in Microsoft Sentinel
Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files — the latter are renamed DLL files that export a CPlApplet function. Malicious CPL files can be delivered via phishing or executed as part of multi-stage malware. Adversaries may rename malicious DLLs with .cpl extensions and register them under HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Malware families including InvisiMole and Reaver have leveraged this technique.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.002 Control Panel
- Canonical reference
- https://attack.mitre.org/techniques/T1218/002/
KQL Detection Query
let SuspiciousCPLPaths = dynamic(["Temp", "AppData", "Downloads", "Public", "ProgramData"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "control.exe"
| where ProcessCommandLine has ".cpl"
| extend SuspiciousPath = ProcessCommandLine has_any (SuspiciousCPLPaths)
| extend NetworkPath = ProcessCommandLine has_any ("http://", "https://", "\\\\")
| extend OfficeParent = InitiatingProcessFileName has_any ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe")
| extend ScriptParent = InitiatingProcessFileName has_any ("wscript.exe", "cscript.exe", "mshta.exe", "cmd.exe", "powershell.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
InitiatingProcessCommandLine, SuspiciousPath, NetworkPath, OfficeParent, ScriptParent
| sort by Timestamp desc
union (
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "control.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
)Detects malicious Control Panel item (CPL) execution by monitoring control.exe launching with .cpl files from suspicious paths (Temp, AppData, Downloads), from Office or scripting parents, or via network paths. Also catches control.exe spawning post-exploitation child processes, which legitimate Control Panel items never do.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installers that register and open CPL files from ProgramData or temp directories
- Third-party Control Panel applets for hardware management (display drivers, audio controllers, VPN clients)
- Enterprise IT tools that use CPL files for configuration management or deployment
- Antivirus or security software that includes CPL-based management interfaces
Other platforms for T1218.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Control Panel CPL Execution from Command Line
Expected signal: Sysmon Event ID 1: Process Create with Image=control.exe, CommandLine containing '.cpl'. Security Event ID 4688 with the same information. No child process should be spawned by a legitimate CPL.
- Test 2CPL File Executed from Temp Directory
Expected signal: Sysmon Event ID 11: File Create for update.cpl in Temp. Sysmon Event ID 1: control.exe with Temp path in command line. Security Event ID 4688 for the control.exe process.
- Test 3Malicious CPL Registry Registration
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject containing 'Control Panel\Cpls' with the CPL path as data. Security Event ID 4657 (Registry value modified) if object access auditing is enabled.
References (7)
- https://attack.mitre.org/techniques/T1218/002/
- https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
- https://blog.trendmicro.com/trendlabs-security-intelligence/control-panel-files-used-as-malicious-attachments/
- https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/
- https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md
- https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx
Unlock Pro Content
Get the full detection package for T1218.002 including response playbook, investigation guide, and atomic red team tests.