Detect Malicious Control Panel Items With This Free Splunk Detection Rule
Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.
For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.
Adversaries can use Control Panel items as execution payloads to execute arbitrary commands. Malicious Control Panel items can be delivered via Spearphishing Attachment campaigns or executed as part of multi-stage malware. [4] Control Panel items, specifically CPL files, may also bypass application and/or file extension whitelisting.
ID: T1196
Tactic: Defense Evasion, Execution
Platform: Windows
Permissions Required: User, Administrator, SYSTEM
Data Sources: API monitoring, Binary file metadata, DLL monitoring, Windows Registry, Windows event logs, Process command-line parameters, Process monitoring
Defense Bypassed: Application whitelisting, Process whitelisting
Procedure Examples
Reaver: drops and executes a malicious CPL file as its payload.
Mitigation
Execution Prevention
Identify and block potentially malicious and unknown .cpl files by using application whitelisting tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.
Restrict File and Directory Permissions
Restrict storage and execution of Control Panel items to protected directories, such as C:\Windows, rather than user directories.
Detection
Monitor and analyze activity related to items associated with CPL files, such as the Windows Control Panel process binary (control.exe) and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before Rundll32 is used to call the CPL’s API functions (ex: rundll32.exe shell32.dll, Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter Rundll32 command, which may bypass detections and/or execution filters for control.exe.
The resource of Malicious Control Panel items rule:
index=windows source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” (EventCode=1 Image=”*\\control.exe” CommandLine=”*.cpl*”) OR (EventCode=1 Image=”*\\rundll32.exe” CommandLine =”shell32.dll,Control_RunDLL” CommandLine=”*.cpl”) OR (EventCode=1 Image=”*\\rundll32.exe” CommandLine =”shell32.dll,ControlRunDLLAsUse” CommandLine=”*.cpl”) OR (EventCode=1 Image=”*\\rundll32.exe” CommandLine =”*.cpl*”) OR (EventCode IN (12,13) TargetObject IN (“HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace*” , “HKCR\\CLSID*” , “HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\ControlPanel*” , “*Shellex\\PropertySheetHandlers”))
