T1218.002 - Control Panel

T1218.002 - Control Panel#

Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.

Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)

Malicious Control Panel items can be delivered via Phishing campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.

Adversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020)

Atomic Tests#

Atomic Test #1 - Control Panel Items#

This test simulates an adversary leveraging control.exe Upon execution calc.exe will be launched

Supported Platforms: windows

Dependencies: Run with `powershell`!#

Description: Cpl file must exist on disk at specified location (#{cpl_file_path})#

Check Prereq Commands:#

if (Test-Path "PathToAtomicsFolder\T1218.002\bin\calc.cpl") {exit 0} else {exit 1}

Get Prereq Commands:#

New-Item -Type Directory (split-path "PathToAtomicsFolder\T1218.002\bin\calc.cpl") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.002/bin/calc.cpl" -OutFile "PathToAtomicsFolder\T1218.002\bin\calc.cpl"

Invoke-AtomicTest T1218.002 -TestNumbers 1 -GetPreReqs

Attack Commands: Run with `command_prompt`#

control.exe "PathToAtomicsFolder\T1218.002\bin\calc.cpl"

Invoke-AtomicTest T1218.002 -TestNumbers 1

Detection#

Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before Rundll32 is used to call the CPL’s API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter Rundll32 command, which may bypass detections and/or execution filters for control.exe.(Citation: TrendMicro CPL Malware Jan 2014)

Inventory Control Panel items to locate unregistered and potentially malicious files present on systems:

Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace and HKEY_CLASSES_ROOT\CLSID{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL)
CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the CPLs and Extended Properties Registry keys of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec(“c:\windows\system32\control.exe {Canonical_Name}”, SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}).(Citation: Microsoft Implementing CPL)
Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder{name}\Shellex\PropertySheetHandlers where {name} is the predefined name of the system item.(Citation: Microsoft Implementing CPL)

Analyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.(Citation: TrendMicro CPL Malware Jan 2014)