DET0194: Detection of Malicious Control Panel Item Execution via control.exe or Rundll32
This detection strategy is about finding suspicious execution of Windows Control Panel items through control.exe or Rundll32, a pattern associated by ATT&C...
Analyst context for executives and security teams
This detection strategy is about finding suspicious execution of Windows Control Panel items through control.exe or Rundll32, a pattern associated by ATT&CK with the Control Panel technique (T1218.002). The business significance is that trusted Windows utilities can make malicious execution look administrative or routine, which can weaken response speed if SOC teams only alert on obviously malicious binaries.
Executive priority
Prioritize this as a Windows endpoint visibility and response-readiness question: can the organization distinguish normal Control Panel administration from suspicious Control Panel item execution? Leaders should ask whether endpoint logging, detection logic, and incident triage procedures cover trusted-binary proxy execution, because gaps here can affect containment decisions, audit evidence, and confidence in workstation/server monitoring.
Technical view
ATT&CK provides no official detection text for DET0194, so teams should validate coverage against the related technique context: T1218.002, Control Panel, on Windows, under stealth. Detection engineering should focus on process execution involving control.exe or Rundll32, unusual .cpl or DLL-backed Control Panel item launches, parent/child process context, command-line arguments, file paths, user context, and whether the activity aligns with expected administrative behavior.
Likely telemetry
- Windows endpoint process creation events for control.exe and rundll32.exe
- Command-line arguments and parent/child process relationships
- File path and extension details for launched Control Panel items, especially .cpl or DLL-backed components
- User, host, and session context for administrative versus unexpected execution
- Endpoint detection and response alerts or enrichments related to trusted Windows binary execution
Detection direction
- Confirm that process creation telemetry includes command line, parent process, user, host, and executable path details; without these fields, triage value will be limited.
- Baseline expected Control Panel usage in the environment to reduce false positives from normal administration and user settings changes.
- Review execution of Control Panel items from unusual directories, unexpected parent processes, or uncommon user contexts.
- Correlate control.exe or Rundll32 activity with adjacent endpoint events rather than treating the binary name alone as malicious.
- Document blind spots where endpoint logging is absent, command lines are truncated, or administrative tooling commonly invokes these binaries.
Mitigation priorities
- Ensure Windows endpoint logging and EDR coverage are enabled on systems where Control Panel item execution would matter to incident response.
- Apply least-privilege and administrative control practices so routine users have limited ability to introduce or execute untrusted components.
- Harden detection review workflows for trusted Windows utility abuse, including clear triage criteria for control.exe and Rundll32 activity.
- Use vulnerability management and configuration governance to reduce unmanaged endpoints where this behavior could go unobserved.
- Maintain compliance evidence showing that process execution telemetry and response procedures are in place for Windows endpoint monitoring.
Analyst notes and limits
This take is based on DET0194 metadata and its relationship to ATT&CK technique T1218.002 Control Panel. The object itself has no official description, tactics, platforms, or detection text; the Windows and stealth context comes from the related technique. Treat this as a detection-validation prompt rather than a complete analytic specification.
The supplied ATT&CK fields do not provide detection logic, data sources, analytics, mitigations, or examples. Local baselining is required to determine what is suspicious in a given environment, especially because legitimate administrative activity may use Control Panel mechanisms.
Detection of Malicious Control Panel Item Execution via control.exe or Rundll32
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1218.002 | Control Panel Sub-technique | This object detects Control Panel. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2f617f12afaa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0194Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.