System Control Panel Item Loaded From Uncommon Location

    Wednesday, December 4, 2024 In: Threat Research Print

    Date: 12/04/2024

    Severity: Medium

    Summary

    Detects the loading of system control panel items (.cpl) from uncommon or non-system locations, which could indicate potential sideloading activity.

    Indicators of Compromise (IOC) List  

    ImageLoaded :

    - '\hdwwiz.cpl'       # Usually loaded by hdwwiz.exe

    - '\appwiz.cpl'   # Usually loaded by fondue.exe

    - ':\Windows\System32\'

    - ':\Windows\SysWOW64\'

    - ':\Windows\WinSxS\'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

     (resourcename = "Sysmon"  AND eventtype = "7"  ) AND (imageloaded like "\hdwwiz.cpl" or imageloaded like "\appwiz.cpl") AND (imageloaded not like ":\Windows\System32" or imageloaded not like ":\Windows\SysWOW64" or imageloaded not like ":\Windows\WinSxS") 

    Detection Query 2 :

    (technologygroup = "EDR" ) AND (imageloaded like "\hdwwiz.cpl" or imageloaded like "\appwiz.cpl") AND (imageloaded not like ":\Windows\System32" or imageloaded not like ":\Windows\SysWOW64" or imageloaded not like ":\Windows\WinSxS") 

    Reference:  

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml


    Tags

    MalwareSigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.