This detection rule identifies potentially malicious actions involving the execution of control panel items (CPLs) on Windows systems. Control panel items can be exploited by threat actors to run arbitrary code or conduct system manipulations. The rule monitors for specific command-line arguments and patterns associated with the execution of the `reg.exe` and CPL files. It looks for instances where the command line contains phrases that indicate an attempt to add or modify control panel items, excluding expected system executions. Notably, the selection criteria focus on detecting the use of `.cpl` extensions in unusual contexts. Given the versatility of control panel items in Windows, this rule serves as a crucial part of an endpoint detection and response strategy to mitigate persistent threats and evasive tactics.