System Control Panel Item Loaded From Uncommon Location
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
Sigma rule (View on GitHub)
1title: System Control Panel Item Loaded From Uncommon Location
2id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde
3status: test
4description: |
5 Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
6references:
7 - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
8 - https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
9 - https://github.com/mhaskar/FsquirtCPLPoC
10 - https://securelist.com/sidewinder-apt/114089/
11author: Anish Bogati
12date: 2024-01-09
13modified: 2026-02-17
14tags:
15 - attack.persistence
16 - attack.privilege-escalation
17 - attack.execution
18 - attack.stealth
19 - attack.t1574.001
20logsource:
21 product: windows
22 category: image_load
23detection:
24 selection:
25 ImageLoaded|endswith:
26 - '\appwiz.cpl' # Usually loaded by fondue.exe
27 - '\bthprops.cpl' # Usually loaded by fsquirt.exe
28 - '\hdwwiz.cpl' # Usually loaded by hdwwiz.exe
29 filter_main_legit_location:
30 ImageLoaded|startswith:
31 - 'C:\Windows\Prefetch\'
32 - 'C:\Windows\System32\'
33 - 'C:\Windows\SysWOW64\'
34 - 'C:\Windows\WinSxS\'
35 condition: selection and not 1 of filter_main_*
36falsepositives:
37 - Unknown
38level: high
39regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/info.yml
References
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation Of Non-Existent System DLL
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation