Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

System Control Panel Item Loaded From Uncommon Location

Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Anish BogatiCreated Tue Jan 09Updated Tue Feb 172b140a5c-dc02-4bb8-b6b1-8bdb45714cdewindows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        ImageLoaded|endswith:
            - '\appwiz.cpl' # Usually loaded by fondue.exe
            - '\bthprops.cpl' # Usually loaded by fsquirt.exe
            - '\hdwwiz.cpl' # Usually loaded by hdwwiz.exe
    filter_main_legit_location:
        ImageLoaded|startswith:
            - 'C:\Windows\Prefetch\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
hexacorn.com
2
Resolving title…
hexacorn.com
3
Resolving title…
github.com
4
Resolving title…
securelist.com
Testing & Validation

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Rule Metadata
Rule ID
2b140a5c-dc02-4bb8-b6b1-8bdb45714cde
Status
test
Level
high
Type
Detection
Created
Tue Jan 09
Modified
Tue Feb 17
Author
Anish Bogati
Path
rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.001
View on GitHub