AN0558: Analytic 0558

Execution of control.exe or rundll32.exe with parameters pointing to CPL files, especially from non-standard directories or newly created files, followed by suspicious child process execution or registry modifications registering new Control Panel items.

EnterpriseAN0558AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic is about spotting suspicious use of Windows Control Panel loading behavior through control.exe or rundll32.exe when they are pointed at CPL files. For leaders, the value is not the file extension itself; it is whether the organization can distinguish normal administrative Control Panel activity from unusual execution paths, newly introduced files, child processes, or registry changes that may indicate unwanted persistence or execution behavior.

Executive priority

Prioritize this as a Windows endpoint detection and response readiness question: do SOC and IR teams have enough process, file, and registry evidence to explain why a Control Panel item ran, where the CPL came from, and what changed afterward? This matters for business continuity because weak visibility into trusted Windows utilities can slow containment decisions and make audit evidence incomplete during an incident.

Technical view

Validate monitoring for Windows executions of control.exe and rundll32.exe with command-line parameters referencing CPL files. Give higher review priority when CPL paths are in non-standard directories, the CPL file was newly created, execution is followed by suspicious child process activity, or registry modifications register new Control Panel items. Because no ATT&CK tactics or relationships were supplied, treat this as a focused detection analytic rather than a complete intrusion scenario.

Likely telemetry

Windows process creation events including image name, command line, parent process, child process, user, host, and timestamp
File creation or modification telemetry for CPL files, especially creation time and path
Registry modification telemetry for Control Panel item registration or related persistence-like changes
Endpoint detection and response context linking process, file, and registry activity on the same host
Asset and user context to separate expected administrative activity from unusual workstation or server behavior

Detection direction

Confirm that command-line logging is enabled and retained for control.exe and rundll32.exe executions on Windows systems.
Tune for CPL references from non-standard directories and newly created CPL files rather than alerting only on the presence of control.exe or rundll32.exe, which can be legitimate.
Correlate process execution with child process creation and registry modifications occurring shortly afterward on the same endpoint.
Review false positives from legitimate software installers, control panel extensions, driver utilities, and administrative tooling that may register CPL items.
Identify blind spots where registry auditing, file creation telemetry, or command-line capture is absent, because those gaps directly limit confidence in this analytic.

Mitigation priorities

Ensure endpoint logging captures process command lines, file creation metadata, and registry changes relevant to Windows Control Panel item registration.
Limit unnecessary local administrative rights and software installation paths where feasible, since unauthorized CPL placement or registration is harder to investigate without ownership controls.
Establish baselines for approved Control Panel extensions, expected CPL locations, and legitimate administrative utilities.
Prepare IR triage steps that preserve the CPL file, process tree, registry changes, user context, and host timeline for rapid scoping.
Use this analytic as supporting evidence in detection engineering and compliance readiness reviews for Windows endpoint monitoring coverage.

Analyst notes and limits

The supplied object is a detection analytic for Windows only. Its strongest decision value is in validating whether defenders can correlate trusted Windows utility execution with CPL file location, file freshness, child process behavior, and registry changes. No relationship context was supplied, so this take does not infer associated techniques, malware, groups, campaigns, or outcomes.

Official detection text was not provided, tactics were not specified, and no relationships were supplied. Local environment baselines are required to define standard versus non-standard CPL directories and to tune legitimate administrative or installer behavior.

Official MITRE ATT&CK definition

Analytic 0558

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 860461988a7837d7...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`860461988a78…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0558
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use