Control Panel Process with Unusual Arguments

  1[metadata]
  2creation_date = "2021/09/08"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/04/29"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value.
 11Adversaries may abuse control.exe to proxy execution of malicious code.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Control Panel Process with Unusual Arguments"
 28references = ["https://www.joesandbox.com/analysis/476188/1/html"]
 29risk_score = 73
 30rule_id = "416697ae-e468-4093-a93d-59661fa619ec"
 31severity = "high"
 32tags = [
 33    "Domain: Endpoint",
 34    "OS: Windows",
 35    "Use Case: Threat Detection",
 36    "Tactic: Defense Evasion",
 37    "Data Source: Elastic Endgame",
 38    "Data Source: Elastic Defend",
 39    "Data Source: Windows Security Event Logs",
 40    "Data Source: Microsoft Defender XDR",
 41    "Data Source: Sysmon",
 42    "Data Source: SentinelOne",
 43    "Data Source: Crowdstrike",
 44    "Resources: Investigation Guide",
 45]
 46timestamp_override = "event.ingested"
 47type = "eql"
 48
 49query = '''
 50process where host.os.type == "windows" and event.type == "start" and
 51  process.name : "control.exe" and
 52  process.command_line : (
 53    "*.jpg*", "*.png*",
 54    "*.gif*", "*.bmp*",
 55    "*.jpeg*", "*.TIFF*",
 56    "*.inf*", "*.cpl:*/*",
 57    "*../../..*",
 58    "*/AppData/Local/*",
 59    "*:\\Users\\Public\\*",
 60    "*\\AppData\\Local\\*"
 61)
 62'''
 63
 64note = """## Triage and analysis
 65
 66### Investigating Control Panel Process with Unusual Arguments
 67
 68#### Possible investigation steps
 69
 70- Which suspicious argument family did the alert preserve, and what does it imply?
 71  - Focus: `process.command_line` and `@timestamp`, identifying image or INF targets, ".cpl:" indirection, traversal (".."), "AppData\\Local", or "Users\\Public" fragments.
 72  - Implication: escalate when Control Panel points at non-applet content, user-writable paths, traversal, or URL-like ".cpl:" loading; lower suspicion only when the path and argument resolve to one recognized vendor applet, driver package, or support workflow.
 73
 74- Is the alerting binary really the expected Control Panel executable?
 75  - Focus: `process.executable`, `process.pe.original_file_name`, `process.code_signature.subject_name`, `process.code_signature.trusted`, and `process.hash.sha256`.
 76  - Implication: escalate if "control.exe" is renamed, unsigned or untrusted, has an unfamiliar hash, or runs outside the Windows system path; Microsoft identity lowers masquerade risk but does not clear the arguments.
 77
 78- Does the parent and user context fit this launch?
 79  - Focus: `process.parent.executable`, `process.parent.command_line`, `user.id`, and `user.name`.
 80  - Implication: Office, browser, script-host, archive-tool, remote-admin, or mismatched-user launches make the command abnormal; keep validating only when parent and user context fit the applet, driver, support, or lab workflow named by the command line.
 81
 82- Did Control Panel hand off to follow-on execution?
 83  - Focus: child starts on the same `host.id` where `process.parent.entity_id` equals the alert `process.entity_id`; review child `process.executable`, `process.command_line`, and `process.pe.original_file_name`. $investigate_0
 84  - Implication: follow-on execution confirms proxy-abuse risk when the chain uses "rundll32.exe" or "Control_RunDLL", or spawns PowerShell, cmd, mshta, regsvr32, wscript, cscript, or another unexpected LOLBin; a clean stop at the expected applet or support component narrows scope.
 85  - Hint: if `process.entity_id` is absent, recover children with `host.id` + `process.pid` near `@timestamp`; treat ambiguity as unresolved.
 86
 87- Did the referenced path contain staged or renamed payload content?
 88  - Focus: file events for `host.id` + `process.entity_id`, or `host.id` + `process.pid` near `@timestamp`; review `file.path`, `file.Ext.original.path`, `file.Ext.header_bytes`, and `file.Ext.windows.zone_identifier`. $investigate_1
 89  - Implication: escalate when file events show executable or script content, mismatched headers, recent renames, internet provenance, or payloads under "AppData\\Local" or "Users\\Public"; artifacts confined to the same recognized vendor package layout reduce file concern. Missing file telemetry is unresolved, not benign.
 90
 91- Did the process or host contact delivery or command-and-control infrastructure?
 92  - Focus: DNS and connection events for `host.id` + `process.entity_id`, or `host.id` + `process.pid` near `@timestamp`; compare DNS `dns.question.name` and `dns.resolved_ip` with `destination.ip` and `destination.port`. $investigate_2
 93  - Implication: escalate when network events show the same process or host reaching rare external domains, payload hosts, or mismatched service ports after launch; urgency drops only when traffic stays limited to the same recognized vendor or internal service. Missing network telemetry is unresolved, not benign.
 94  - Hint: separate DNS events from connection events before correlating `dns.resolved_ip` to `destination.ip`.
 95
 96- If local evidence is suspicious or unresolved, does related alert activity change the user or host scope?
 97  - Focus: alerts for the same `user.id` showing delivery, persistence, defense evasion, suspicious children, or other proxy-execution utilities such as "rundll32.exe", "mshta.exe", or "regsvr32.exe". $investigate_3
 98  - Hint: use the host pivot separately for the same patterns on `host.id`, especially when user context is absent or shared. $investigate_4
 99  - Implication: broaden scope when either pivot shows related delivery, persistence, proxy execution, or repeated suspicious Control Panel launches; keep local only when local evidence is explained and related alerts do not contradict it.
100
101- Escalate when command intent plus any meaningful corroborator indicates proxy execution, staged payloads, unexpected child execution, suspicious destinations, or spread; close only when alert-local process evidence and supported recovery bind the exact activity to one recognized workflow with no contradictions; if evidence is mixed or visibility is incomplete, preserve artifacts and escalate.
102
103### False positive analysis
104
105- Vendor applets, printer/display drivers, hardware-management packages, support troubleshooting, or lab validation can trigger unusual Control Panel paths. Confirm `process.command_line` names the expected CPL or INF target, `process.executable` is the Microsoft system binary, `process.parent.executable` and `process.parent.command_line` match the installer or support component, `user.id` and `host.id` fit the endpoint or lab cohort, artifacts stay inside the vendor package layout, and no suspicious child process or unexpected external destination follows. Use package, change, or lab records only as corroboration; without them, close only when this case's telemetry binds the exact workflow. Treat it as a candidate exception until records or recurrence confirm stability.
106- Before creating an exception, validate that the same `process.executable`, `process.parent.executable`, stable `process.command_line` pattern, `user.id`, and `host.id` recur across prior alerts from this rule. Build the exception from that minimum confirmed workflow pattern. Avoid exceptions on "control.exe" alone, on a file extension alone, or on a host alone.
107
108### Response and remediation
109
110- If confirmed benign, reverse any temporary containment and document the command, binary identity, parent workflow, account, host, artifact, and destination evidence that proved one recognized workflow. Create an exception only if that same workflow recurs across prior alerts from this rule.
111- If suspicious but unconfirmed, preserve a case export with `process.command_line`, `process.entity_id`, parent and child lineage, referenced artifacts, and network indicators when available before containment. Apply reversible containment first, such as temporary egress restrictions or heightened monitoring on the affected `host.id` and `user.id`, and avoid deleting files or killing child processes until follow-on execution is scoped.
112- Do not isolate or suspend based on the alert alone. Escalate suspicious-but-unconfirmed cases to host isolation or account action only when child-process, artifact, network, or related-alert evidence shows likely follow-on execution or broader exposure.
113- If confirmed malicious, preserve the same process, artifact, and network evidence before destructive action. Isolate the endpoint to stop further execution while keeping telemetry available; if direct endpoint response is unavailable, hand off the preserved `host.id`, `user.id`, `process.entity_id`, and command-line evidence to the team that can isolate the host or suspend the account.
114- After scoping related hosts, users, parent processes, command-line fragments, referenced paths, and follow-on children, quarantine or remove the malicious applets, DLLs, scripts, archives, or dropped artifacts identified during the investigation. Restore affected Control Panel or shell-association paths to the expected baseline and verify no persistence remains.
115- Post-incident hardening: restrict document-, script-, and archive-driven launches of Control Panel on privileged or shared systems, retain any file or network telemetry that limited the case, and record the confirmed workflow or malicious artifact pattern for future triage.
116"""
117
118setup = """## Setup
119
120This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
121
122Setup instructions: https://ela.st/install-elastic-defend
123
124### Additional data sources
125
126This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
127
128- [CrowdStrike](https://ela.st/crowdstrike-integration)
129- [Microsoft Defender XDR](https://ela.st/m365-defender)
130- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
131- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
132- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
133"""
134
135[rule.investigation_fields]
136field_names = [
137    "@timestamp",
138    "host.name",
139    "host.id",
140    "user.name",
141    "user.id",
142    "process.entity_id",
143    "process.pid",
144    "process.executable",
145    "process.command_line",
146    "process.working_directory",
147    "process.pe.original_file_name",
148    "process.parent.entity_id",
149    "process.parent.name",
150    "process.parent.executable",
151    "process.parent.command_line",
152]
153
154[transform]
155
156[[transform.investigate]]
157label = "Child process events for Control Panel"
158description = ""
159providers = [
160  [
161    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
162    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
163    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
164  ]
165]
166relativeFrom = "now-1h"
167relativeTo = "now"
168
169[[transform.investigate]]
170label = "File events for Control Panel"
171description = ""
172providers = [
173  [
174    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
175    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
176    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
177  ]
178]
179relativeFrom = "now-1h"
180relativeTo = "now"
181
182[[transform.investigate]]
183label = "Network events for Control Panel"
184description = ""
185providers = [
186  [
187    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
188    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
189    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
190  ],
191  [
192    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
193    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
194    { excluded = false, field = "event.category", queryType = "phrase", value = "dns", valueType = "string" }
195  ]
196]
197relativeFrom = "now-1h"
198relativeTo = "now"
199
200[[transform.investigate]]
201label = "Alerts associated with the user"
202description = ""
203providers = [
204  [
205    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
206    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
207  ]
208]
209relativeFrom = "now-48h/h"
210relativeTo = "now"
211
212[[transform.investigate]]
213label = "Alerts associated with the host"
214description = ""
215providers = [
216  [
217    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
218    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
219  ]
220]
221relativeFrom = "now-48h/h"
222relativeTo = "now"
223
224[[rule.threat]]
225framework = "MITRE ATT&CK"
226[[rule.threat.technique]]
227id = "T1218"
228name = "System Binary Proxy Execution"
229reference = "https://attack.mitre.org/techniques/T1218/"
230[[rule.threat.technique.subtechnique]]
231id = "T1218.002"
232name = "Control Panel"
233reference = "https://attack.mitre.org/techniques/T1218/002/"
234
235[rule.threat.tactic]
236id = "TA0005"
237name = "Defense Evasion"
238reference = "https://attack.mitre.org/tactics/TA0005/"