title: Control Panel Items
id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
status: experimental
description: Detects the malicious use of a control panel item
references:
    - https://attack.mitre.org/techniques/T1196/
    - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
tags:
    - attack.execution
    - attack.defense_evasion
    - attack.t1218.002
    - attack.t1196  # an old one
    - attack.persistence
    - attack.t1546
author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
date: 2020/06/22
modified: 2020/11/28
level: critical
logsource:
    product: windows
    category: process_creation
detection:
    selection1:
        CommandLine|endswith: '.cpl'
    filter:
        CommandLine|contains:
            - '\System32\'
            - '%System%'
    selection2:
        Image|endswith: '\reg.exe'
        CommandLine|contains: 'add'
    selection3:
        CommandLine|contains:
            - 'CurrentVersion\\Control Panel\\CPLs'
    condition: (selection1 and not filter) or (selection2 and selection3)
falsepositives:
    - Unknown