1. Home
  2. Techniques
  3. Enterprise
  4. System Binary Proxy Execution
  5. Control Panel

System Binary Proxy Execution: Control Panel

ID Name
T1218.001 Compiled HTML File
T1218.002 Control Panel
T1218.003 CMSTP
T1218.004 InstallUtil
T1218.005 Mshta
T1218.007 Msiexec
T1218.008 Odbcconf
T1218.009 Regsvcs/Regasm
T1218.010 Regsvr32
T1218.011 Rundll32
T1218.012 Verclsid
T1218.013 Mavinject
T1218.014 MMC
T1218.015 Electron Applications

Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.

Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.[1][2] For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.[1] Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.[1] [2][3]

Malicious Control Panel items can be delivered via Phishing campaigns[2][3] or executed as part of multi-stage malware.[4] Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.

Adversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.[5]

ID: T1218.002
Sub-technique of:  T1218
Tactic: Defense Evasion
Platforms: Windows
Contributors: ESET
Version: 2.1
Created: 23 January 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0260 InvisiMole

InvisiMole can register itself for execution and persistence via the Control Panel.[5]
S0172 Reaver

Reaver drops and executes a malicious CPL file as its payload.[4]

Mitigations

ID Mitigation Description
M1038 Execution Prevention

Identify and block potentially malicious and unknown .cpl files by using application control [6] tools, like Windows Defender Application Control[7], AppLocker, [8] [9] or Software Restriction Policies [10] where appropriate. [11]
M1022 Restrict File and Directory Permissions

Restrict storage and execution of Control Panel items to protected directories, such as C:\Windows, rather than user directories.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0194 Detection of Malicious Control Panel Item Execution via control.exe or Rundll32 AN0558

Execution of control.exe or rundll32.exe with parameters pointing to CPL files, especially from non-standard directories or newly created files, followed by suspicious child process execution or registry modifications registering new Control Panel items.

References

  1. M. (n.d.). Implementing Control Panel Items. Retrieved January 18, 2018.
  2. Mercês, F. (2014, January 27). CPL Malware - Malicious Control Panel Items. Retrieved January 18, 2018.
  3. Bernardino, J. (2013, December 17). Control Panel Files Used As Malicious Attachments. Retrieved January 18, 2018.
  4. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  5. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  6. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  1. Gorzelany, A., Hall, J., Poggemeyer, L.. (2019, January 7). Windows Defender Application Control. Retrieved July 16, 2019.
  2. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  3. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  4. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved September 12, 2024.
  5. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.