T1218.002 Sumo Logic CSE · Sumo

Detect Control Panel in Sumo Logic CSE

Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files — the latter are renamed DLL files that export a CPlApplet function. Malicious CPL files can be delivered via phishing or executed as part of multi-stage malware. Adversaries may rename malicious DLLs with .cpl extensions and register them under HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Malware families including InvisiMole and Reaver have leveraged this technique.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.002 Control Panel
Canonical reference
https://attack.mitre.org/techniques/T1218/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| where (%"EventID" = "1" OR %"EventCode" = "1" OR %"EventID" = "4688")
| where (toLowerCase(%"Image") matches "*\\control.exe" OR toLowerCase(%"ParentImage") matches "*\\control.exe")
| eval has_cpl = if (toLowerCase(%"CommandLine") matches "*.cpl*", 1, 0)
| eval suspicious_path = if (
    toLowerCase(%"CommandLine") matches "*(temp|appdata|downloads|public|programdata)*", 1, 0)
| eval office_parent = if (
    toLowerCase(%"ParentImage") matches "*(winword|excel|outlook|powerpnt).exe*", 1, 0)
| eval script_parent = if (
    toLowerCase(%"ParentImage") matches "*(wscript|cscript|mshta|cmd|powershell).exe*", 1, 0)
| eval suspicious_child = if (
    toLowerCase(%"ParentImage") matches "*\\control.exe" and
    toLowerCase(%"Image") matches "*(cmd|powershell|wscript|cscript|rundll32|regsvr32).exe*", 1, 0)
| eval risk_score = has_cpl + suspicious_path + office_parent + script_parent + suspicious_child
| where risk_score > 0
| fields _messageTime, %"host", %"User", %"Image", %"CommandLine", %"ParentImage", %"ParentCommandLine", has_cpl, suspicious_path, office_parent, script_parent, suspicious_child, risk_score
| sort by - _messageTime
high severity high confidence

Sumo Logic CSE detection for T1218.002 abusing control.exe. Risk-scored query matching Sysmon Event ID 1 process create events for control.exe with CPL arguments from suspicious paths and suspicious parent/child chains.

Data Sources

Sumo Logic Windows Source (Sysmon)Sumo Logic Installed Collector with Windows Event Log source

Required Tables

_sourceCategory=*windows*_sourceCategory=*sysmon*

False Positives & Tuning

  • Windows Update or patch management systems that deploy CPL files to ProgramData as part of legitimate updates
  • Security software (DLP, endpoint agents) that installs control panel applets to user AppData directories
  • IT scripts that automate display or accessibility settings via control.exe from managed script directories
Download portable Sigma rule (.yml)

Other platforms for T1218.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Control Panel CPL Execution from Command Line

    Expected signal: Sysmon Event ID 1: Process Create with Image=control.exe, CommandLine containing '.cpl'. Security Event ID 4688 with the same information. No child process should be spawned by a legitimate CPL.

  2. Test 2CPL File Executed from Temp Directory

    Expected signal: Sysmon Event ID 11: File Create for update.cpl in Temp. Sysmon Event ID 1: control.exe with Temp path in command line. Security Event ID 4688 for the control.exe process.

  3. Test 3Malicious CPL Registry Registration

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject containing 'Control Panel\Cpls' with the CPL path as data. Security Event ID 4657 (Registry value modified) if object access auditing is enabled.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1218.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1566.001Spearphishing AttachmentT1204.002Malicious FileT1574.002DLL Side-LoadingT1027.009Embedded PayloadsT1112Modify RegistryT1036.004Masquerade Task or Service

Same Tactic: Defense Evasion

Popular Detections