title: Control Panel (T1218.002)
id: df00tech-t1218-002
status: experimental
description: "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files — the latter are renamed DLL files that export a CPlApplet function. Malicious CPL files can be delivered via phishing or executed as part of multi-stage malware. Adversaries may rename malicious DLLs with .cpl extensions and register them under HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls. Malware families including InvisiMole and Reaver have leveraged this technique."
references:
  - https://attack.mitre.org/techniques/T1218/002/
  - https://df00tech.com/detections/T1218.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1218.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate software installers that register and open CPL files from ProgramData or temp directories
  - "Third-party Control Panel applets for hardware management (display drivers, audio controllers, VPN clients)"
  - Enterprise IT tools that use CPL files for configuration management or deployment
  - Antivirus or security software that includes CPL-based management interfaces
level: high