title: Non-Windows Control Panel Item
description: The below query will find all cpl files outside standard directories
  and all cpl files executed outside of Windows directories. First portion of query
  may need to be dropped if there's too much noise in your environment.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
   tactic: Defense Evasion
   technique: T1218
   subtechnique: 002
operating_system: windows
query: (TgtFileExtension = "cpl" AND TgtFilePath Does Not ContainCIS "C:\Windows"
  AND TgtFilePath Does Not ContainCIS "C:\Program Files" AND TgtFilePath Does Not
  ContainCIS "C:\$WINDOWS.~BT") OR (SrcProcName = "control.exe" AND SrcProcCmdLine
  ContainsCIS ".cpl" AND SrcProcCmdLine Does Not ContainCIS "C:\Windows")
false_positives: null
tags: null