This detection rule addresses the potential misuse of the Windows Control Panel executable (control.exe), wherein adversaries can execute malicious payloads through a proxy mechanism within the process. As control.exe manages the execution of Control Panel items, attackers may exploit this by renaming harmful Dynamic Link Library (DLL) files with Control Panel file extensions (.cpl). This tactic allows malicious files to bypass existing security measures, including application allow lists or file extension validations. The rule employs a Splunk logic query designed to capture specific event codes from Sysmon, focusing on the execution of control.exe with suspicious file extensions. The rule is relevant for detecting techniques associated with threat actors like Alloy Taurus, Gallium, Lazarus, and UNC2589, particularly in contexts related to recent geopolitical tensions where such tactics might be employed.