DET0194 Detection of Malicious Control Panel Item Execution via control.exe or Rundll32

Item	Value
ID	DET0194
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1218.002 (Control Panel)

Analytics

Windows

AN0558

Execution of control.exe or rundll32.exe with parameters pointing to CPL files, especially from non-standard directories or newly created files, followed by suspicious child process execution or registry modifications registering new Control Panel items.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7
Windows Registry Key Creation (DC0056)	WinEventLog:Sysmon	EventCode=12

Mutable Elements

Field	Description
CPLPathRegex	Regex to match CPL file paths; tune to exclude legitimate CPLs in System32
ParentProcessName	Helps filter known parent processes that legitimately use control.exe
NewFileTimeWindow	Time delta between CPL file creation and execution to detect rapid execution of newly dropped files
RegistryKeyAllowlist	Whitelist of known good CPL registry entries