title: Non-Windows Control Panel Item
description: Detect cpl files outside standard Windows directories. First portion
  of query may need to be dropped if there is too much noise in your environment.
author: keyboardcrunch
date: 10/10/2020
modified: 05/12/2020
mitre:
   tactic: Defense Evasion
   technique: T1218
   subtechnique: 002
operating_system: windows
query: (TgtFileExtension = "cpl" AND TgtFilePath Does Not ContainCIS "C:\Windows"
  AND TgtFilePath Does Not ContainCIS "C:\Program Files" AND TgtFilePath Does Not
  ContainCIS "C:\$WINDOWS.~BT") OR (SrcProcName = "control.exe" AND SrcProcCmdLine
  ContainsCIS ".cpl" AND SrcProcCmdLine Does Not ContainCIS "C:\Windows")
false_positives: 
   - Applications bringing their own cpl files
tags: