Control Panel Items
Detects the malicious use of a control panel item
Sigma rule (View on GitHub)
1title: Control Panel Items
2id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
3status: test
4description: Detects the malicious use of a control panel item
5references:
6 - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
7author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
8date: 2020/06/22
9modified: 2023/10/11
10tags:
11 - attack.execution
12 - attack.defense_evasion
13 - attack.t1218.002
14 - attack.persistence
15 - attack.t1546
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection_reg_img:
21 - Image|endswith: '\reg.exe'
22 - OriginalFileName: 'reg.exe'
23 selection_reg_cli:
24 CommandLine|contains|all:
25 - 'add'
26 - 'CurrentVersion\Control Panel\CPLs'
27 selection_cpl:
28 CommandLine|endswith: '.cpl'
29 filter_cpl_sys:
30 CommandLine|contains:
31 - '\System32\'
32 - '%System%'
33 - '|C:\Windows\system32|'
34 filter_cpl_igfx:
35 CommandLine|contains|all:
36 - 'regsvr32 '
37 - ' /s '
38 - 'igfxCPL.cpl'
39 condition: all of selection_reg_* or (selection_cpl and not 1 of filter_cpl_*)
40falsepositives:
41 - Unknown
42level: high
References
-
It's possible to force explorer.exe to load your DLL that is compiled as a Control Panel Item and is registered as a Control Panel Add-in. This technique could also be considered for persistence. E...
Read More
Related rules
- UNC4841 - Barracuda ESG Exploitation Indicators
- UNC4841 - Email Exfiltration File Pattern
- Schtasks Creation Or Modification With SYSTEM Privileges
- DNS Query Request By Regsvr32.EXE
- Sysinternals Tools AppX Versions Execution