System Control Panel Item Loaded From Uncommon Location

Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.

Sigma rule (View on GitHub)

 1title: System Control Panel Item Loaded From Uncommon Location
 2id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde
 3status: test
 4description: Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.
 5references:
 6    - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
 7    - https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
 8author: Anish Bogati
 9date: 2024-01-09
10tags:
11    - attack.defense-evasion
12    - attack.t1036
13logsource:
14    product: windows
15    category: image_load
16detection:
17    selection:
18        ImageLoaded|endswith:
19            - '\hdwwiz.cpl' # Usually loaded by hdwwiz.exe
20            - '\appwiz.cpl' # Usually loaded by fondue.exe
21    filter_main_legit_location:
22        ImageLoaded|contains:
23            - ':\Windows\System32\'
24            - ':\Windows\SysWOW64\'
25            - ':\Windows\WinSxS\'
26    condition: selection and not 1 of filter_*
27falsepositives:
28    - Unknown
29level: medium

References

Related rules

to-top