System Control Panel Item Loaded From Uncommon Location
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.
Sigma rule (View on GitHub)
1title: System Control Panel Item Loaded From Uncommon Location
2id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde
3status: experimental
4description: Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.
5references:
6 - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
7 - https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
8author: Anish Bogati
9date: 2024/01/09
10tags:
11 - attack.defense_evasion
12 - attack.t1036
13logsource:
14 product: windows
15 category: image_load
16detection:
17 selection:
18 ImageLoaded|endswith:
19 - '\hdwwiz.cpl' # Usually loaded by hdwwiz.exe
20 - '\appwiz.cpl' # Usually loaded by fondue.exe
21 filter_main_legit_location:
22 ImageLoaded|contains:
23 - ':\Windows\System32\'
24 - ':\Windows\SysWOW64\'
25 - ':\Windows\WinSxS\'
26 condition: selection and not 1 of filter_*
27falsepositives:
28 - Unknown
29level: medium
References
-
Same as in the previous case, we can copy the main executable fondue.exe to a different folder f.ex. c:\test and start it from there, loading the c:\test\appwiz.cpl we control in the process. This ...
Read More -
There is a number of .cpl files that can be loaded using their OS-native executable equivalents f.ex hdwwiz.exe loads hdwwiz.cpl. As such, we can copy hdwwiz.exe to a different folder f.ex. c:\test...
Read More
Related rules
- Forfiles.EXE Child Process Masquerading
- PUA - Potential PE Metadata Tamper Using Rcedit
- Procdump Execution
- Renamed CreateDump Utility Execution
- Suspicious MSDT Parent Process