T1218.002 Splunk · SPL

Detect Control Panel in Splunk

Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files — the latter are renamed DLL files that export a CPlApplet function. Malicious CPL files can be delivered via phishing or executed as part of multi-stage malware. Adversaries may rename malicious DLLs with .cpl extensions and register them under HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Malware families including InvisiMole and Reaver have leveraged this technique.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.002 Control Panel
Canonical reference
https://attack.mitre.org/techniques/T1218/002/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\control.exe" OR ParentImage="*\\control.exe")
| eval HasCPL=if(match(CommandLine, "\.cpl"), 1, 0)
| eval SuspiciousPath=if(match(CommandLine, "(Temp|AppData|Downloads|Public|ProgramData)"), 1, 0)
| eval OfficeParent=if(match(ParentImage, "(winword|excel|outlook|powerpnt)\.exe"), 1, 0)
| eval ScriptParent=if(match(ParentImage, "(wscript|cscript|mshta|cmd|powershell)\.exe"), 1, 0)
| eval SuspiciousChild=if(match(Image, "(cmd|powershell|wscript|cscript|rundll32|regsvr32)\.exe") AND ParentImage="*\\control.exe", 1, 0)
| eval RiskScore=HasCPL + SuspiciousPath + OfficeParent + ScriptParent + SuspiciousChild
| where RiskScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, HasCPL, SuspiciousPath, OfficeParent, ScriptParent, SuspiciousChild, RiskScore
| sort - _time
high severity high confidence

Detects malicious Control Panel item abuse using Sysmon Event ID 1. Scores events across multiple risk dimensions: presence of .cpl extension, path in user-writable locations, suspicious parent processes (Office, scripting engines), and control.exe spawning child processes. Higher risk scores indicate more likely malicious activity.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate software installers that register and open CPL files from ProgramData or temp directories
  • Third-party Control Panel applets for hardware management (display drivers, audio controllers, VPN clients)
  • Enterprise IT tools that use CPL files for configuration management or deployment
  • Antivirus or security software that includes CPL-based management interfaces
Download portable Sigma rule (.yml)

Other platforms for T1218.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Control Panel CPL Execution from Command Line

    Expected signal: Sysmon Event ID 1: Process Create with Image=control.exe, CommandLine containing '.cpl'. Security Event ID 4688 with the same information. No child process should be spawned by a legitimate CPL.

  2. Test 2CPL File Executed from Temp Directory

    Expected signal: Sysmon Event ID 11: File Create for update.cpl in Temp. Sysmon Event ID 1: control.exe with Temp path in command line. Security Event ID 4688 for the control.exe process.

  3. Test 3Malicious CPL Registry Registration

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject containing 'Control Panel\Cpls' with the CPL path as data. Security Event ID 4657 (Registry value modified) if object access auditing is enabled.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1218.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1566.001Spearphishing AttachmentT1204.002Malicious FileT1574.002DLL Side-LoadingT1027.009Embedded PayloadsT1112Modify RegistryT1036.004Masquerade Task or Service

Same Tactic: Defense Evasion

Popular Detections