← Back to SOC feed Coverage →

System Control Panel Item Loaded From Uncommon Location

sigma HIGH SigmaHQ
T1574.001
DeviceImageLoadEvents
This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at SigmaHQ →
Retrieved: 2026-03-19T03:46:59Z · Confidence: medium

Hunt Hypothesis

Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.

Detection Rule

Sigma (Original)

title: System Control Panel Item Loaded From Uncommon Location
id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde
status: test
description: |
    Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
references:
    - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
    - https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
    - https://github.com/mhaskar/FsquirtCPLPoC
    - https://securelist.com/sidewinder-apt/114089/
author: Anish Bogati
date: 2024-01-09
modified: 2026-02-17
tags:
    - attack.defense-evasion
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded|endswith:
            - '\appwiz.cpl' # Usually loaded by fondue.exe
            - '\bthprops.cpl' # Usually loaded by fsquirt.exe
            - '\hdwwiz.cpl' # Usually loaded by hdwwiz.exe
    filter_main_legit_location:
        ImageLoaded|startswith:
            - 'C:\Windows\Prefetch\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/info.yml

KQL (Microsoft 365 Defender)

DeviceImageLoadEvents
| where (FolderPath endswith "\\appwiz.cpl" or FolderPath endswith "\\bthprops.cpl" or FolderPath endswith "\\hdwwiz.cpl") and (not((FolderPath startswith "C:\\Windows\\Prefetch\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))

Required Data Sources

Sentinel TableNotes
DeviceImageLoadEventsEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

Validation (Atomic Red Team)

Use these Atomic Red Team tests to validate this detection fires correctly:

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml