- title: Control Panel Items
id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
status: experimental
description: Detects the use of a control panel item (.cpl) outside of the System32
folder
reference:
- https://attack.mitre.org/techniques/T1196/
tags:
- attack.execution
- attack.t1196
- attack.defense_evasion
author: Kyaw Min Thein
date: 2019/08/27
level: critical
logsource:
product: windows
category: process_creation
service: null
detection:
selection:
CommandLine: '*.cpl'
filter:
CommandLine:
- '*\System32\\*'
- '*%System%*'
condition: selection and not filter
falsepositives:
- Unknown
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='(process_command_line.keyword:*.cpl AND (NOT (process_command_line.keyword:(*\\System32\\* OR *%System%*))))')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()