T1218.002: Control Panel
Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet
function. For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.
Malicious Control Panel items can be delivered via Phishing campaigns or executed as part of multi-stage malware. Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.
Adversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls
. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet
functions, they are loaded and executed through its DllEntryPoint
when Control Panel is executed. CPL files not exporting CPlApplet
are not directly executable.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_defense_evasion: PT-CR-193: ControlPanel_AWL_Bypass: An attempt to bypass application-start restrictions by using control.exe (a built-in Microsoft Windows utility used to execute Control Panel items)
Detection
ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for newly constructed files that may forge web cookies that can be used to gain access to web applications or Internet services. |
---|
ID | DS0011 | Data source and component | Module: Module Load | Description | Monitor for DLL/PE file events, such as the |
---|
ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Modification | Description | Inventory Control Panel items to locate unregistered and potentially malicious files present on systems:
|
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | When executed from the command line or clicked, control.exe will execute the CPL file (ex: |
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls that may forge web cookies that can be used to gain access to web applications or Internet services. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor and analyze activity related to items associated with CPL files, such as the control.exe. Analyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques. |
---|
Mitigation
ID | M1022 | Name | Restrict File and Directory Permissions | Description | Restrict storage and execution of Control Panel items to protected directories, such as |
---|
ID | M1038 | Name | Execution Prevention | Description | Identify and block potentially malicious and unknown .cpl files by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. |
---|