Esc
Control Panel - T1218.002
(ATT&CK® Technique)
Definition
Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1218002["Control Panel"] --> |invokes| CreateProcess["Create Process"]; class T1218002 OffensiveTechniqueNode; class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; click T1218002 href "/offensive-technique/attack/T1218.002/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1218002["Control Panel"] --> |may-modify| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1218002 OffensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; click T1218002 href "/offensive-technique/attack/T1218.002/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | CreateProcess["Create Process"]; ProcessSpawnAnalysis["Process Spawn Analysis"] -.-> | may-detect | T1218002["Control Panel"] ; class ProcessSpawnAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; SystemCallAnalysis["System Call Analysis"] --> | analyzes | CreateProcess["Create Process"]; SystemCallAnalysis["System Call Analysis"] -.-> | may-detect | T1218002["Control Panel"] ; class SystemCallAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; ExecutableAllowlisting["Executable Allowlisting"] --> | filters | CreateProcess["Create Process"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | may-isolate | T1218002["Control Panel"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] --> | filters | CreateProcess["Create Process"]; ExecutableDenylisting["Executable Denylisting"] -.-> | may-isolate | T1218002["Control Panel"] ; class ExecutableDenylisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | restricts | CreateProcess["Create Process"]; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.-> | may-isolate | T1218002["Control Panel"] ; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class CreateProcess ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; SystemCallFiltering["System Call Filtering"] --> | filters | CreateProcess["Create Process"]; SystemCallFiltering["System Call Filtering"] -.-> | may-isolate | T1218002["Control Panel"] ; class SystemCallFiltering DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; RestoreConfiguration["Restore Configuration"] --> | restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"]; RestoreConfiguration["Restore Configuration"] -.-> | may-restore | T1218002["Control Panel"] ; class RestoreConfiguration DefensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration";