DFIR/DR Tip: Unfamiliar technique by Abuse Control panel files (.cpl extension)
Mohammed AlAqeel
Subject Matter Expert in Cyber Defense solutions | Digital Forensic Incident Response|SecOps| Cyber Threat Intelligence| Threat Detection and Response |GCFA | GCFE| GCTI| eCMAP| OSCP| OSINT/SOCMINT | IT and OT.
First, let us walk through what the (.cpl) file is: Control Panel Applets (.cpl) are one of those older Windows file extensions that exist but vanish from the limelight as the latest and greatest techniques come and go, yet they remain. When you open your Control Panel in Windows, those are, in fact, DLL files called Control Panel Applets. The difference is that you can have functions that trigger upon DoubleClick, unlike a DLL's entry points.
unfamiliar technique used by Threat actors in Defense Evasion Tactics to Bypass Defense Solution in any enterprises by abusing control panel files that's which have .cpl extension
Why it is unfamiliar, Because usually most anti-virus doesn't care about CPL files, and most mail servers don't have rules to process them (.cpl) attachments
During my previous incident response investigation engagement , I noticed the rubbish name file with an extension (.cpl), which brought my attention to do some more investigation and search to understand the situation. So how has that happened? Usually, the threat actors abuse and use the lining of the land technique control.exe to proxy the execution of malicious payloads. The Windows Control Panel process binary (control.exe, which is the "Living of the Land Technique"; check this: "https://lolbas-project.github.io/lolbas/Binaries/Control/")
handles the execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.?
Control Panel items are registered executable (.exe) or Control Panel (.cpl) files; the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.
and the Malicious Control Panel items can be delivered via phishing campaigns or executed as part of multi-stage malware. Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.
Threat actors may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to
HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. "similar DLL hijacking Technique"
Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.
and the Permissions Required for this technique: Administrator, SYSTEM, and User?
Below, in references, there are more attack scenario that help understand more
let's now Create a Detection mechanism that will help the defense team detect this kind of unfamiliar technique :-
1. Identify and block potentially malicious and unknown (.cpl) files.
2. Restrict storage and execution of Control Panel items to protected directories, such as C:\Windows, rather than user directories.
3. If you have EDR solutions, make sure create watchlist/rules to detect this technique by following the example of abuse from https://lolbasproject.github.io/lolbas/Binaries/Control/
4. Feel free to add more detection mechanisms.
References :-
Deloitte Senior Consultant and Veteran
4 个月Great work as always my friend!
Cyber Security Consultant eCIR | eCTHP | eCDFP I eCPPT | EJPT I CEH | CHFI | ECSA
4 个月??