MITRE ATT&CK Technique
Description
Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL) Adversaries can use Control Panel items as execution payloads to execute arbitrary commands. Malicious Control Panel items can be delivered via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension whitelisting.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2018-04-18T17:59:24.739Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Windows Control Panel items are utilities that allow users to '
'view and adjust computer settings. Control Panel items are '
'registered executable (.exe) or Control Panel (.cpl) files, '
'the latter are actually renamed dynamic-link library (.dll) '
'files that export a CPlApplet function. (Citation: Microsoft '
'Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) '
'Control Panel items can be executed directly from the command '
'line, programmatically via an application programming '
'interface (API) call, or by simply double-clicking the file. '
'(Citation: Microsoft Implementing CPL) (Citation: TrendMicro '
'CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec '
'2013)\n'
'\n'
'For ease of use, Control Panel items typically include '
'graphical menus available to users after being registered and '
'loaded into the Control Panel. (Citation: Microsoft '
'Implementing CPL)\n'
'\n'
'Adversaries can use Control Panel items as execution payloads '
'to execute arbitrary commands. Malicious Control Panel items '
'can be delivered via [Spearphishing '
'Attachment](https://attack.mitre.org/techniques/T1193) '
'campaigns (Citation: TrendMicro CPL Malware Jan 2014) '
'(Citation: TrendMicro CPL Malware Dec 2013) or executed as '
'part of multi-stage malware. (Citation: Palo Alto Reaver Nov '
'2017) Control Panel items, specifically CPL files, may also '
'bypass application and/or file extension whitelisting.',
'external_references': [{'external_id': 'T1196',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1196'},
{'description': 'M. (n.d.). Implementing Control '
'Panel Items. Retrieved January 18, '
'2018.',
'source_name': 'Microsoft Implementing CPL',
'url': 'https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx'},
{'description': 'Mercês, F. (2014, January 27). CPL '
'Malware - Malicious Control Panel '
'Items. Retrieved January 18, 2018.',
'source_name': 'TrendMicro CPL Malware Jan 2014',
'url': 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf'},
{'description': 'Bernardino, J. (2013, December 17). '
'Control Panel Files Used As '
'Malicious Attachments. Retrieved '
'January 18, 2018.',
'source_name': 'TrendMicro CPL Malware Dec 2013',
'url': 'https://blog.trendmicro.com/trendlabs-security-intelligence/control-panel-files-used-as-malicious-attachments/'},
{'description': 'Grunzweig, J. and Miller-Osborn, J. '
'(2017, November 10). New Malware '
'with Ties to SunOrcal Discovered. '
'Retrieved November 16, 2017.',
'source_name': 'Palo Alto Reaver Nov 2017',
'url': 'https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/'}],
'id': 'attack-pattern--8df54627-376c-487c-a09c-7d2b5620f56e',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'execution'}],
'modified': '2025-10-24T17:49:05.377Z',
'name': 'Control Panel Items',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}