From 2bf4516881c9ef4c84702274d32cf9ac05ced1a1 Mon Sep 17 00:00:00 2001
From: hegusung <7390383+hegusung@users.noreply.github.com>
Date: Sun, 13 Oct 2024 12:26:15 +0200
Subject: [PATCH] Update Control.yml

Added Execution section to Control.exe

Added tags:
- Input Custom Format
---
 yml/OSBinaries/Control.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml
index 7f4e162..4ebd881 100644
--- a/yml/OSBinaries/Control.yml
+++ b/yml/OSBinaries/Control.yml
@@ -13,6 +13,17 @@ Commands:
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
     Tags:
       - Execute: DLL
+      - Input: Custom Format
+  - Command: control.exe c:\windows\tasks\evil.cpl
+    Description: Execute evil.cpl payload. A CPL is a DLL file with CPlApplet export function)
+    Usecase: Use to execute code and bypass application whitelisting
+    Category: Execution
+    Privileges: User
+    MitreID: T1218.002
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+    Tags:
+      - Execute: DLL
+      - Input: Custom Format
 Full_Path:
   - Path: C:\Windows\System32\control.exe
   - Path: C:\Windows\SysWOW64\control.exe