System Control Panel Item Loaded From Uncommon Location
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.
Sigma rule (View on GitHub)
1title: System Control Panel Item Loaded From Uncommon Location
2id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde
3status: test
4description: Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.
5references:
6 - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
7 - https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
8author: Anish Bogati
9date: 2024-01-09
10tags:
11 - attack.defense-evasion
12 - attack.t1036
13logsource:
14 product: windows
15 category: image_load
16detection:
17 selection:
18 ImageLoaded|endswith:
19 - '\hdwwiz.cpl' # Usually loaded by hdwwiz.exe
20 - '\appwiz.cpl' # Usually loaded by fondue.exe
21 filter_main_legit_location:
22 ImageLoaded|contains:
23 - ':\Windows\System32\'
24 - ':\Windows\SysWOW64\'
25 - ':\Windows\WinSxS\'
26 condition: selection and not 1 of filter_*
27falsepositives:
28 - Unknown
29level: medium
References
Related rules
- CodePage Modification Via MODE.COM To Russian Language
- Forfiles.EXE Child Process Masquerading
- Sdiagnhost Calling Suspicious Child Process
- Suspicious Child Process Of Wermgr.EXE
- CreateDump Process Dump