Control Panel Process with Unusual Arguments
Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/09/08"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value.
13Adversaries may abuse control.exe to proxy execution of malicious code.
14"""
15from = "now-9m"
16index = [
17 "logs-endpoint.events.process-*",
18 "winlogbeat-*",
19 "logs-windows.forwarded*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-system.security*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25 "logs-crowdstrike.fdr*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Control Panel Process with Unusual Arguments"
30references = ["https://www.joesandbox.com/analysis/476188/1/html"]
31risk_score = 73
32rule_id = "416697ae-e468-4093-a93d-59661fa619ec"
33severity = "high"
34tags = [
35 "Domain: Endpoint",
36 "OS: Windows",
37 "Use Case: Threat Detection",
38 "Tactic: Defense Evasion",
39 "Tactic: Execution",
40 "Data Source: Elastic Endgame",
41 "Data Source: Elastic Defend",
42 "Data Source: System",
43 "Data Source: Microsoft Defender for Endpoint",
44 "Data Source: Sysmon",
45 "Data Source: SentinelOne",
46 "Data Source: Crowdstrike",
47 "Resources: Investigation Guide",
48]
49timestamp_override = "event.ingested"
50type = "eql"
51
52query = '''
53process where host.os.type == "windows" and event.type == "start" and
54 process.name : "control.exe" and
55 process.command_line : (
56 "*.jpg*", "*.png*",
57 "*.gif*", "*.bmp*",
58 "*.jpeg*", "*.TIFF*",
59 "*.inf*", "*.cpl:*/*",
60 "*../../..*",
61 "*/AppData/Local/*",
62 "*:\\Users\\Public\\*",
63 "*\\AppData\\Local\\*"
64)
65'''
66note = """## Triage and analysis
67
68> **Disclaimer**:
69> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
70
71### Investigating Control Panel Process with Unusual Arguments
72
73The Control Panel in Windows is a system utility that allows users to view and adjust system settings. Adversaries may exploit this by using control.exe to execute malicious code under the guise of legitimate processes. The detection rule identifies anomalies in command-line arguments, such as unexpected file types or suspicious paths, which may indicate an attempt to evade defenses or execute unauthorized actions.
74
75### Possible investigation steps
76
77- Review the command line arguments of the control.exe process to identify any unusual file types or suspicious paths, such as image file extensions or paths like */AppData/Local/*.
78- Check the parent process of control.exe to determine if it was spawned by a legitimate application or a potentially malicious one.
79- Investigate the user account associated with the process to verify if the activity aligns with their typical behavior or if it appears suspicious.
80- Examine recent file modifications or creations in directories like \\AppData\\Local\\ or \\Users\\Public\\ to identify any unauthorized or unexpected changes.
81- Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context on the potential threat.
82- Assess the network activity of the host during the time of the alert to identify any unusual outbound connections that may indicate data exfiltration or command and control communication.
83
84### False positive analysis
85
86- Image file paths in command-line arguments may trigger false positives if users or applications are legitimately accessing image files through control.exe. To mitigate this, create exceptions for known applications or user activities that frequently access image files.
87- Paths involving AppData or Users\\Public directories might be flagged if legitimate software installations or updates use these locations. Review and whitelist specific software processes that are known to use these directories for legitimate purposes.
88- Relative path traversal patterns like ../../.. could be used by legitimate scripts or applications for configuration purposes. Identify and exclude these scripts or applications from the detection rule if they are verified as non-malicious.
89- Frequent use of control.exe with specific command-line arguments by system administrators or IT personnel for legitimate system management tasks can be excluded by creating user-based exceptions for these roles.
90- If certain security tools or monitoring software are known to trigger this rule due to their operational behavior, consider excluding these tools after confirming their legitimacy and necessity.
91
92### Response and remediation
93
94- Isolate the affected system from the network to prevent further malicious activity and lateral movement.
95- Terminate the suspicious control.exe process to stop any ongoing malicious execution.
96- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or remnants.
97- Review and clean up any unauthorized changes or files in the directories specified in the alert, such as AppData/Local or Users/Public, to ensure no persistence mechanisms remain.
98- Restore any affected files or system settings from a known good backup to ensure system integrity.
99- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.
100- Implement additional monitoring and alerting for similar command-line anomalies to enhance detection and prevent recurrence of this threat."""
101
102
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105[[rule.threat.technique]]
106id = "T1218"
107name = "System Binary Proxy Execution"
108reference = "https://attack.mitre.org/techniques/T1218/"
109[[rule.threat.technique.subtechnique]]
110id = "T1218.002"
111name = "Control Panel"
112reference = "https://attack.mitre.org/techniques/T1218/002/"
113
114
115
116[rule.threat.tactic]
117id = "TA0005"
118name = "Defense Evasion"
119reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Control Panel Process with Unusual Arguments
The Control Panel in Windows is a system utility that allows users to view and adjust system settings. Adversaries may exploit this by using control.exe to execute malicious code under the guise of legitimate processes. The detection rule identifies anomalies in command-line arguments, such as unexpected file types or suspicious paths, which may indicate an attempt to evade defenses or execute unauthorized actions.
Possible investigation steps
- Review the command line arguments of the control.exe process to identify any unusual file types or suspicious paths, such as image file extensions or paths like /AppData/Local/.
- Check the parent process of control.exe to determine if it was spawned by a legitimate application or a potentially malicious one.
- Investigate the user account associated with the process to verify if the activity aligns with their typical behavior or if it appears suspicious.
- Examine recent file modifications or creations in directories like \AppData\Local\ or \Users\Public\ to identify any unauthorized or unexpected changes.
- Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context on the potential threat.
- Assess the network activity of the host during the time of the alert to identify any unusual outbound connections that may indicate data exfiltration or command and control communication.
False positive analysis
- Image file paths in command-line arguments may trigger false positives if users or applications are legitimately accessing image files through control.exe. To mitigate this, create exceptions for known applications or user activities that frequently access image files.
- Paths involving AppData or Users\Public directories might be flagged if legitimate software installations or updates use these locations. Review and whitelist specific software processes that are known to use these directories for legitimate purposes.
- Relative path traversal patterns like ../../.. could be used by legitimate scripts or applications for configuration purposes. Identify and exclude these scripts or applications from the detection rule if they are verified as non-malicious.
- Frequent use of control.exe with specific command-line arguments by system administrators or IT personnel for legitimate system management tasks can be excluded by creating user-based exceptions for these roles.
- If certain security tools or monitoring software are known to trigger this rule due to their operational behavior, consider excluding these tools after confirming their legitimacy and necessity.
Response and remediation
- Isolate the affected system from the network to prevent further malicious activity and lateral movement.
- Terminate the suspicious control.exe process to stop any ongoing malicious execution.
- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or remnants.
- Review and clean up any unauthorized changes or files in the directories specified in the alert, such as AppData/Local or Users/Public, to ensure no persistence mechanisms remain.
- Restore any affected files or system settings from a known good backup to ensure system integrity.
- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.
- Implement additional monitoring and alerting for similar command-line anomalies to enhance detection and prevent recurrence of this threat.
References
Related rules
- ImageLoad via Windows Update Auto Update Client
- Microsoft Build Engine Started by a System Process
- Suspicious .NET Code Compilation
- UAC Bypass via DiskCleanup Scheduled Task Hijack
- Windows Firewall Disabled via PowerShell