Execution of control.exe or rundll32.exe with parameters pointing to CPL files, especially from non-standard directories or newly created files, followed by suspicious child process execution or registry modifications registering new Control Panel items.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Windows Registry Key Creation (DC0056) | WinEventLog:Sysmon | EventCode=12 |
| Field | Description |
|---|---|
| CPLPathRegex | Regex to match CPL file paths; tune to exclude legitimate CPLs in System32 |
| ParentProcessName | Helps filter known parent processes that legitimately use control.exe |
| NewFileTimeWindow | Time delta between CPL file creation and execution to detect rapid execution of newly dropped files |
| RegistryKeyAllowlist | Whitelist of known good CPL registry entries |