Control Panel Items
Detects the malicious use of a control panel item
Sigma rule (View on GitHub)
1title: Control Panel Items
2id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
3status: test
4description: Detects the malicious use of a control panel item
5references:
6 - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
7author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
8date: 2020-06-22
9modified: 2023-10-11
10tags:
11 - attack.privilege-escalation
12 - attack.execution
13 - attack.defense-evasion
14 - attack.t1218.002
15 - attack.persistence
16 - attack.t1546
17logsource:
18 product: windows
19 category: process_creation
20detection:
21 selection_reg_img:
22 - Image|endswith: '\reg.exe'
23 - OriginalFileName: 'reg.exe'
24 selection_reg_cli:
25 CommandLine|contains|all:
26 - 'add'
27 - 'CurrentVersion\Control Panel\CPLs'
28 selection_cpl:
29 CommandLine|endswith: '.cpl'
30 filter_cpl_sys:
31 CommandLine|contains:
32 - '\System32\'
33 - '%System%'
34 - '|C:\Windows\system32|'
35 filter_cpl_igfx:
36 CommandLine|contains|all:
37 - 'regsvr32 '
38 - ' /s '
39 - 'igfxCPL.cpl'
40 condition: all of selection_reg_* or (selection_cpl and not 1 of filter_cpl_*)
41falsepositives:
42 - Unknown
43level: high
References
-
offensive securityCode Execution Code Execution through Control Panel Add-ins It's possible to force explorer.exe to load your DLL that is compiled as a Control Panel Item and is registered as a Co...
Read More
Related rules
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- COM Hijack via Sdclt
- Exploiting SetupComplete.cmd CVE-2019-1378