Skeleton Code to Create Control Panel Items

This article demonstrates a defense evasion technique documented as “Control Panel” T1218.002 in the MITRE ATT&CK [1] framework. The technique is classified as defense evasion technique for the ability it offers to proxy execution of payloads through the legitimate and signed Windows application control.exe. Malicious Control Panel items have been used in the past for cyber espionage purposes [3] as well as in banking malware [4].

The article is layed out in the following sections:

Review of the technique
Implementation in C/C++
Detection Opportunities
References

Review of the technique

Control Panel items implemented in .cpl files, are similar to executable files. A user can just click the file and the item is executed. What makes CPL files useful to malware authors is their ability to evade defenses and more specifically application control. Control panel items are not executed individually, but through the legitimate and signed Windows appication control.exe.

To create a CPL and make it execute code, the only requirement is to export the function CPlApplet. This function is called when the file is clicked.

This effectively means that whatever the CPlApplet function contains/implements, it gets invoked as soon as the CPL is run by control.exe.

Implementation in C/C++

The code to create a CPL item that will print a message to DebugView (SysInternals) is listed below:

#include <windows.h>

LONG CPlApplet(HWND hwndCpl, UINT msg, LONG lParam1, LONG lParam2)
{
	OutputDebugStringW(L"");
	return 0;
}

The compiled output (DLL) should be given the extension .cpl and export the function CPlApplet. This function is what is actually called by control.exe when the control panel item is launched. Contrary to the popular belief, the generated file does not necessarily have to implement a DllMain function. The implementation of CPlApplet alone is sufficient to get whatever code lies within it, executed.

Detection Opportunities

To identify what are the detection opportunities, the question “what happens when a CPL file is clicked?” has to be addressed first.

Assuming a user clicks on a valid Control Panel file “dark.cpl” located at “C:\Users\user\Desktop" the following process tree is observed:

- "C:\Windows\System32\control.exe" "C:\Users\user\Desktop\dark.cpl"
    - "C:\Windows\System32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\user\Desktop\dark.cpl"

In terms of hunting, frequency analysis of the accurence of these specific events is the key to detect any threats. More specifically, if a CPL file is identified on a single host or a few hosts within an estate, this should raise flags and become a strong point for launching an investigation.

Additionally, for those familiar with VirusTotal Enterprise platform, the following search modifiers return malware consistent with rogue Control Panel items:

exports:”CPlApplet” positives:30+ type:”pedll”

The above query looks for the exported function CPlApplet in DLL files that have 30 or more detections by antivirus engines.

Forensic Artifacts

What surfaced during this research, is that when a control panel item is executed, that event creates an entry in registry and thus a valueable artifact for incident responders. The location (path) of the specific CPL is what is stored in the registry. The registry key is:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store

The observation was made on a Windows 10 operating system.

References

[1] https://attack.mitre.org/techniques/T1218/002/

[2] https://www.trendmicro.com/en_us/research/14/a/a-look-into-cpl-malware.html

[3] https://unit42.paloaltonetworks.com/unit42-new-malware-with-ties-to-sunorcal-discovered/

[4] https://www.welivesecurity.com/2015/05/07/cpl-malware-brazil-white-paper-now-available/

tags: #Windows API