Signed Binary Proxy Execution: Control Panel, Sub-technique T1218.002-Enterprise

Signed Binary Proxy Execution: Control Panel

ID Name

T1218.001

Compiled HTML File

T1218.002 Control Panel

T1218.003

CMSTP

T1218.004

InstallUtil

T1218.005

Mshta

T1218.007

Msiexec

T1218.008

Odbcconf

T1218.009

Regsvcs/Regasm

T1218.010

Regsvr32

T1218.011

Rundll32

T1218.012

Verclsid

Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.

Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.

[1]

[2]

For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.

[1]

Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.

[1]

[2]

[3]

Malicious Control Panel items can be delivered via

Phishing

campaigns

[2]

[3]

or executed as part of multi-stage malware.

[4]

Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.

Adversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCUSoftwareMicrosoftWindowsCurrentVersionControl PanelCpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.

[5]

ID: T1218.002

Sub-technique of: 

T1218

Tactic: Defense Evasion
Platforms: Windows
Permissions Required: Administrator, SYSTEM, User
Data Sources: API monitoring, Binary file metadata, DLL monitoring, Process command-line parameters, Process monitoring, Windows Registry
Defense Bypassed: Application control
Contributors: ESET
Version: 1.1
Created: 23 January 2020
Last Modified: 21 October 2020

Version Permalink

Bạn đang xem: Signed Binary Proxy Execution: Control Panel, Sub-technique T1218.002-Enterprise

Procedure Examples

Name Description

InvisiMole

InvisiMole

can register itself for execution and persistence via the Control Panel.

[5]

Reaver

Reaver

drops and executes a malicious CPL file as its payload.

[4]

Mitigations

Mitigation Description

Execution Prevention

Identify and block potentially malicious and unknown .cpl files by using application control

[6]

tools, like Windows Defender Application Control

[7]

, AppLocker,

[8]

[9]

or Software Restriction Policies

[10]

where appropriate.

[11]

Restrict File and Directory Permissions

Restrict storage and execution of Control Panel items to protected directories, such as C:Windows, rather than user directories.

Detection

Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before

Rundll32

is used to call the CPL’s API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter

Rundll32

command, which may bypass detections and/or execution filters for control.exe.

[2]

Inventory Control Panel items to locate unregistered and potentially malicious files present on systems:

  • Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerControlPanelNameSpace and HKEY_CLASSES_ROOTCLSID{{GUID}}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel.

    [1]

  • CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the CPLs and Extended Properties Registry keys of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionControl Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec("c:windowssystem32control.exe {{Canonical_Name}}", SW_NORMAL);) or from a command line (control.exe /name {{Canonical_Name}}).

    [1]

  • Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionControls Folder{{name}}ShellexPropertySheetHandlers where {{name}} is the predefined name of the system item.

    [1]

Analyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.

[2]

References

  1. M. (n.d.). Implementing Control Panel Items. Retrieved January 18, 2018.

  2. Mercês, F. (2014, January 27). CPL Malware – Malicious Control Panel Items. Retrieved January 18, 2018.

  3. Bernardino, J. (2013, December 17). Control Panel Files Used As Malicious Attachments. Retrieved January 18, 2018.

  4. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.

  5. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.

  6. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.

  1. Gorzelany, A., Hall, J., Poggemeyer, L.. (2019, January 7). Windows Defender Application Control. Retrieved July 16, 2019.

  2. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.

  3. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.

  4. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.

  5. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.

Chuyên mục: Hỏi đáp

admin