.. / Control.exe
Star

Binary used to launch controlpanel items in Windows


Paths:


Resources:
https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/
https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/
https://twitter.com/bohops/status/955659561008017409
https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items
https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/

Acknowledgement:
Jimmy - @bohops


Detection:
Control.exe executing files from alternate data streams.



Alternate data streams

Execute evil.dll which is stored in an Alternate Data Stream (ADS).
control.exe c:\windows\tasks\file.txt:evil.dll
Usecase:Can be used to evade defensive countermeasures or to hide as a persistence mechanism
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1196