Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion. Today we're going to be looking at control panel items within the execution phase of the minor attack framework. So with that, let's go ahead and jump right in.
00:16
So today's objectives are as follows. We're going to be looking at what our control panel items as laid out and minor. We're going to discuss method for attacking using control panel items, so discuss a method for attacking. We're going to look at some mitigation techniques as usual
00:35
and some detection techniques
00:37
as well. So let's go ahead and jump into our definition here.
00:42
So control panel items is the items used in Windows to allow users to view and adjust system settings there, typically registered as dot e x e and CPL files
00:56
or control panel files and execute a bles. These items can be executed from the command line viene a p i or through interaction with the file. So if an attachment or something that that nature were sent and the user interacts with it and it executes a dot CPL or XY file, it can be done through there
01:15
and then these files have been used as execution payloads to run arbitrary commands. Common delivery method of malicious control panel items is done through spearfishing attachments or through multistage malware.
01:30
And so again, we talked about the initial access face and how AH threat after would gain access to systems. This in combination with spear phishing links, would get them into a system. And then this would be essentially again part of execution. Getting a bigger payload
01:49
on do a system, getting malicious software into a system
01:53
and then potentially allowing a threat actor to further propagate through the network Or do some initial discovery on the system that is impacted are infected.
02:05
Now let's look at a method for attacking or how this could be put to use.
02:09
And so this could be popular as faras this particular vector when environments have defenses in place, such as application, white listing and process white listing, so this may not get scanned, or it may be able to bypass that. And so
02:25
our particular case here is Step one user receives a message with a malicious attachment, and again, this is typically the product of some type of spear fishing campaign. Or maybe they've clicked on a link that's taken them to a site that's downloaded some payload.
02:43
The attachment contains an embedded CPL file. Okay, which then upon its execution, the file connects to the Internet and downloads the bigger payload or what? Whatever it is that the threat actors trying to get onto the system. So
03:00
this particular method in itself is not the final
03:06
piece of software are the final piece forgetting the threat actor into a system and establishing persistence. But it is one of the stepping stones in doing so. So you may be asking yourself, what are some ways that we can stop this or look for this on our systems? Well,
03:23
mitigation techniques pretty much fall into line with some of the other things that we've looked at. So execution prevention can still be obtained through means such as antivirus. And so in the example we previously showed.
03:37
If a user downloads a no malicious payload being that the signature matches that would has been seen through these threat groups and the NMR spenders update their systems or their signature bases, it would, you know, block in the particular payload or a connection attempt.
03:55
If the payload calls out to a known malicious I P or system,
03:59
Then the connection can be blocked. So again, if we're using some sort of intrusion prevention system, if we've got, um,
04:06
a set up on the far wall that looks for blacklisted I PS or eye peas or systems or you RL's, that may be suspicious or that may be malicious
04:17
and it can block them. And even if the payload were changed, if it reached, it reaches out to a known bad I peer system that it could be blocked at that point as well,
04:29
and then control panel items within something like group policy or some other software. White listing application can be restricted or protected the spaces within them as far as where they right and those directories can be protected. So
04:44
taking the steps to lock those down and prevent those from being executed by standard users could also be a way that we can implement some type of mitigation for these control panel items or this particular vector within the execution face.
04:59
Now let's talk about detection techniques so items related to or associated with CPL files can be monitored and analyzed with monitoring tools. Some examples or control run DLL control run DLL issues. Er there's some other examples as well. But if there are particular
05:19
particular commands in particular
05:24
instances of these that you would want to monitor and check for, you would definitely want to see what threat actors are commonly used in what's associated with some of the common malicious tools. And then you could monitor these particular areas as well.
05:38
Now, another area that's a little more manual in process would be an inventory of control panel items that can be conducted
05:46
to find unregistered or potentially malicious files.
05:49
And so, in doing this, we ran a get dash control panel item all one word there, and it produces a list with name, conical name, category and description. So a way that we could approach this
06:06
is that we could do an initial review
06:10
of these particular items and validate that they are in fact known good on the system and then to help automate the process Later, we could potentially implement some form of, um, output of this list. That's compared to the new list.
06:28
So we get the original approved list
06:30
so we'd have essentially list one and then we would run something like a script or something that would produce list to the The two should be equal and shouldn't have no changes. And if that's the case, then we're good to go. But if you run an output of list one and
06:48
against list to or you have list one and then you run, you know and get less. Two. And there is something in this, too, that makes it mawr than what list one was like There's been changes or something like that. Then you can focus on reviewing that particular system.
07:04
So there's some flexibility here and maybe some capability for those that have a knack for writing scripts or writing some type of comparative script that could then look at the outputs of this, and you could use that to your advantage.
07:17
So with that in mind, let's go ahead and do a quick check on learning. True or false. The dot CPL or X E X file extensions are used for manipulating are using control panel items.
07:33
All right, so if you need some additional time, please pause the video so the dot CPL
07:40
or dot txt extensions are years for manipulating or using control panel items.
07:46
In this instance, that is a true statement. So those were the two that we reviewed in the initial component of this discussion and those air currently the primary means through which threat actors will attempt to manipulate those sevens in those areas.
08:03
So with that, let's go ahead and look at our summary.
08:07
So we reviewed control panel items essentially, that this is a vector where threat actors are using dot dxy on dot CPL file extensions. To manipulate configurations within the control panel, Teoh insert functions or features that may not be legitimate
08:28
re reviewed methods for attacking using control panel items. And so we looked at those three steps again.
08:33
Remember that fishing or some type of interaction is typically the first step in these, and even then, if you interact with this item, it could be that your antivirus would pick it up and block it, or even if it were able to run and try to make a connection, going out to,
08:52
ah command and control server, some type of system to get a payload.
08:56
It could be blocked as well if it's blacklisted or known. Bad actor.
09:01
We also reviewed some mitigation techniques, looking at maybe blocking the areas where
09:07
the's control panel items can be written to and preventing, and users from being able to interact with those areas could assist. And then we looked at some detection techniques again,
09:18
focusing on preventative measures such as antivirus and something of that nature that would stop the initial payloads and connections out. And then, if all else fails, having some type of manual review initially where we can pull the information in the control panel items list,
09:35
do a review to look for unregistered or unknown entities on that list,
09:41
validate that the list is good and then have some measure in place to look for changes against that list in the future. Again, it's a very broad area as far as control panel items, there's a number of ways that this could be taken advantage of. But the gist of it is, um,
09:56
that, you know, there are not as faras within the minor tech framework a high number of malicious attack attempts using not CPL files.
10:03
But if that becomes more popular and continues to grow, it would definitely be beneficial to be ahead of the curb on that. So, with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor