rules/windows/process_creation/win_control_panel_item.yml

title: Control Panel Items
id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
status: experimental
description: Detects the use of a control panel item (.cpl) outside of the System32 folder
reference:
    - https://attack.mitre.org/techniques/T1196/
tags:
    - attack.execution
    - attack.t1196
    - attack.defense_evasion
author: Kyaw Min Thein
date: 2019/08/27
level: critical
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine: '*.cpl'
    filter:
        CommandLine:
            - '*\System32\\*'
            - '*%System%*'
    condition: selection and not filter
falsepositives:
    - Unknown
Control Panel Item, MITRE_ID=T1196 2019-08-27 14:55:55 +06:30			`title: Control Panel Items`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4`
Changes 2019-08-27 12:23:42 +02:00			`status: experimental`
			`description: Detects the use of a control panel item (.cpl) outside of the System32 folder`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`reference:`
			`- https://attack.mitre.org/techniques/T1196/`
			`tags:`
			`- attack.execution`
			`- attack.t1196`
			`- attack.defense_evasion`
Control Panel Item, MITRE_ID=T1196 2019-08-27 14:55:55 +06:30			`author: Kyaw Min Thein`
			`date: 2019/08/27`
			`level: critical`
			`logsource:`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`product: windows`
			`category: process_creation`
Control Panel Item, MITRE_ID=T1196 2019-08-27 14:55:55 +06:30			`detection:`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`selection:`
			`CommandLine: '*.cpl'`
			`filter:`
			`CommandLine:`
			`- '\System32\\'`
			`- '%System%'`
			`condition: selection and not filter`
Control Panel Item, MITRE_ID=T1196 2019-08-27 14:55:55 +06:30			`falsepositives:`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`- Unknown`