Sigma rules for CVE-2020-10966
3 rules · scoped to cve · back to CVE-2020-10966
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious Control Panel DLL Load
id: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819
status: test
description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
references:
- https://twitter.com/rikvduijn/status/853251879320662017
- https://twitter.com/felixw3000/status/853354851128025088
author: Florian Roth (Nextron Systems)
date: 2017-04-15
modified: 2023-02-09
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\System32\control.exe'
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
filter:
CommandLine|contains: 'Shell32.dll'
condition: all of selection_* and not filter
falsepositives:
- Unknown
level: high
title: Control Panel Items
id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
status: test
description: Detects the malicious use of a control panel item
references:
- https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
date: 2020-06-22
modified: 2023-10-11
tags:
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1218.002
- attack.persistence
- attack.t1546
logsource:
product: windows
category: process_creation
detection:
selection_reg_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_cli:
CommandLine|contains|all:
- 'add'
- 'CurrentVersion\Control Panel\CPLs'
selection_cpl:
CommandLine|endswith: '.cpl'
filter_cpl_sys:
CommandLine|contains:
- '\System32\'
- '%System%'
- '|C:\Windows\system32|'
filter_cpl_igfx:
CommandLine|contains|all:
- 'regsvr32 '
- ' /s '
- 'igfxCPL.cpl'
condition: all of selection_reg_* or (selection_cpl and not 1 of filter_cpl_*)
falsepositives:
- Unknown
level: high
title: System Control Panel Item Loaded From Uncommon Location
id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde
status: test
description: |
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
references:
- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
- https://github.com/mhaskar/FsquirtCPLPoC
- https://securelist.com/sidewinder-apt/114089/
author: Anish Bogati
date: 2024-01-09
modified: 2026-02-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith:
- '\appwiz.cpl' # Usually loaded by fondue.exe
- '\bthprops.cpl' # Usually loaded by fsquirt.exe
- '\hdwwiz.cpl' # Usually loaded by hdwwiz.exe
filter_main_legit_location:
ImageLoaded|startswith:
- 'C:\Windows\Prefetch\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/info.yml