System Control Panel Item Loaded From Uncommon Location

 1title: System Control Panel Item Loaded From Uncommon Location
 2id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde
 3status: test
 4description: |
 5        Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
 6references:
 7    - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
 8    - https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
 9    - https://github.com/mhaskar/FsquirtCPLPoC
10    - https://securelist.com/sidewinder-apt/114089/
11author: Anish Bogati
12date: 2024-01-09
13modified: 2026-02-17
14tags:
15    - attack.defense-evasion
16    - attack.persistence
17    - attack.privilege-escalation
18    - attack.t1574.001
19logsource:
20    product: windows
21    category: image_load
22detection:
23    selection:
24        ImageLoaded|endswith:
25            - '\appwiz.cpl' # Usually loaded by fondue.exe
26            - '\bthprops.cpl' # Usually loaded by fsquirt.exe
27            - '\hdwwiz.cpl' # Usually loaded by hdwwiz.exe
28    filter_main_legit_location:
29        ImageLoaded|startswith:
30            - 'C:\Windows\Prefetch\'
31            - 'C:\Windows\System32\'
32            - 'C:\Windows\SysWOW64\'
33            - 'C:\Windows\WinSxS\'
34    condition: selection and not 1 of filter_main_*
35falsepositives:
36    - Unknown
37level: high
38regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/info.yml

References

• 1 little known secret of fondue.exe

  

  Same as in the previous case, we can copy the main executable fondue.exe to a different folder f.ex. c:\test and start it from there, loading the c:\test\appwiz.cpl we control in the process.

  
  Read More

• 1 little known secret of hdwwiz.exe

  

  There is a number of .cpl files that can be loaded using their OS-native executable equivalents f.ex hdwwiz.exe loads hdwwiz.cpl. As such, we can copy hdwwiz.exe to a different folder f.ex. c:\test...

  
  Read More

• GitHub - mhaskar/FsquirtCPLPoC: PoC for generating bthprops.cpl module designed to be loaded by Fsquirt.exe LOLBin

  

  PoC for generating bthprops.cpl module designed to be loaded by Fsquirt.exe LOLBin - mhaskar/FsquirtCPLPoC

  
  Read More

• Beyond the Surface: the evolution and expansion of the SideWinder APT group

  

  Kaspersky analyzes SideWinder APT’s recent activity: new targets in the MiddleEast and Africa, post-exploitation tools and techniques.

  
  Read More

Related rules

• Creation Of Non-Existent System DLL
• Potential DLL Sideloading Of Non-Existent DLLs From System Folders
• Registry Modification for OCI DLL Redirection
• Creation of WerFault.exe/Wer.dll in Unusual Folder
• Potential System DLL Sideloading From Non System Locations