Skip to content

T1218.002 Control Panel

Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.

Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.12 For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.1 Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.1 23

Malicious Control Panel items can be delivered via Phishing campaigns23 or executed as part of multi-stage malware.4 Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.

Adversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.5

Item Value
ID T1218.002
Sub-techniques T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.007, T1218.008, T1218.009, T1218.010, T1218.011, T1218.012, T1218.013, T1218.014
Tactics TA0005
Platforms Windows
Permissions required Administrator, SYSTEM, User
Version 2.0
Created 23 January 2020
Last Modified 11 March 2022

Procedure Examples

ID Name Description
S0260 InvisiMole InvisiMole can register itself for execution and persistence via the Control Panel.5
S0172 Reaver Reaver drops and executes a malicious CPL file as its payload.4


ID Mitigation Description
M1038 Execution Prevention Identify and block potentially malicious and unknown .cpl files by using application control 6 tools, like Windows Defender Application Control7, AppLocker, 8 9 or Software Restriction Policies 10 where appropriate. 11
M1022 Restrict File and Directory Permissions Restrict storage and execution of Control Panel items to protected directories, such as C:\Windows, rather than user directories.


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Creation
DS0011 Module Module Load
DS0009 Process OS API Execution
DS0024 Windows Registry Windows Registry Key Modification


Back to top