From 135de276c13d23eb19abdcb1c4b729ce5795e6e5 Mon Sep 17 00:00:00 2001
From: PhyoPaingHtun ChiLai <83696447+PhyoPaingHtun@users.noreply.github.com>
Date: Fri, 9 Jan 2026 22:29:36 +0700
Subject: [PATCH 1/4] Add fsquirt_abuse_malicious_cpl_load.yml for fsquirt.exe

---
 .../fsquirt_abuse_malicious_cpl_load.yml      | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml

diff --git a/yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml b/yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml
new file mode 100644
index 00000000..1ed5e333
--- /dev/null
+++ b/yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml
@@ -0,0 +1,30 @@
+---
+Name: fsquirt.exe
+Description: Bluetooth File Transfer Wizard used by Windows.
+Author: Microsoft
+Created: 2026-01-09
+Commands:
+  - Command: fsquirt.exe
+    Description: Executes the Bluetooth File Transfer Wizard.
+    Usecase: >
+      Executes a Control Panel applet by implicitly loading bthprops.cpl
+      from the current working directory when fsquirt.exe is executed
+      outside of its default system location.
+    Category: Execute
+    Privileges: User
+    MitreID: T1574.002
+    OperatingSystem: Windows 11, Windows 10, Windows Server
+    Tags:
+      - Execute: CPL
+      - ProxyExecution
+Full_Path:
+  - Path: C:\Windows\System32\fsquirt.exe
+  - Path: C:\Windows\SysWOW64\fsquirt.exe
+Detection:
+  - IOC: fsquirt.exe loading bthprops.cpl from a non-system directory
+Resources:
+  - Link: https://attack.mitre.org/techniques/T1574/002/
+  - Link: https://securelist.com/beyond-the-surface-sidewinder-apt/
+  - Link: https://github.com/PhyoPaingHtun/TestPanda/blob/main/image_load_win_fsquirt_dll_load_from_non_system_paths.yml
+Acknowledgement:
+  - Person: Phyo Paing Htun

From 5bf73680347bf44145dba5f8ef08dd219c7709c1 Mon Sep 17 00:00:00 2001
From: PhyoPaingHtun ChiLai <83696447+PhyoPaingHtun@users.noreply.github.com>
Date: Fri, 9 Jan 2026 22:40:46 +0700
Subject: [PATCH 2/4] Update fsquirt_abuse_malicious_cpl_load.yml

---
 yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml b/yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml
index 1ed5e333..3f754977 100644
--- a/yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml
+++ b/yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml
@@ -16,7 +16,6 @@ Commands:
     OperatingSystem: Windows 11, Windows 10, Windows Server
     Tags:
       - Execute: CPL
-      - ProxyExecution
 Full_Path:
   - Path: C:\Windows\System32\fsquirt.exe
   - Path: C:\Windows\SysWOW64\fsquirt.exe

From ecbd01389aeda2bee699fa82f250ab244349a2c4 Mon Sep 17 00:00:00 2001
From: PhyoPaingHtun ChiLai <83696447+PhyoPaingHtun@users.noreply.github.com>
Date: Fri, 9 Jan 2026 22:44:07 +0700
Subject: [PATCH 3/4] Update description for fsquirt abuse YAML

Clarified the description to indicate potential abuse of malicious CPL.
---
 yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml b/yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml
index 3f754977..60d4c314 100644
--- a/yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml
+++ b/yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml
@@ -9,7 +9,7 @@ Commands:
     Usecase: >
       Executes a Control Panel applet by implicitly loading bthprops.cpl
       from the current working directory when fsquirt.exe is executed
-      outside of its default system location.
+      outside of its default system location.This behavior may indicate abuse of malicious CPL to execute code under the context of a trusted Windows binary.
     Category: Execute
     Privileges: User
     MitreID: T1574.002

From 305ff1cdceb71c3ddeab1ab9233ca647a319d0d4 Mon Sep 17 00:00:00 2001
From: PhyoPaingHtun ChiLai <83696447+PhyoPaingHtun@users.noreply.github.com>
Date: Fri, 9 Jan 2026 22:50:59 +0700
Subject: [PATCH 4/4] Update author in fsquirt_abuse_malicious_cpl_load.yml

---
 yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml b/yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml
index 60d4c314..2842e256 100644
--- a/yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml
+++ b/yml/OSBinaries/fsquirt_abuse_malicious_cpl_load.yml
@@ -1,7 +1,7 @@
 ---
 Name: fsquirt.exe
 Description: Bluetooth File Transfer Wizard used by Windows.
-Author: Microsoft
+Author: Phyo Paing Htun
 Created: 2026-01-09
 Commands:
   - Command: fsquirt.exe