WorkFolders.exe

Work Folders

Paths

• C:\Windows\System32\WorkFolders.exe

Commands

Execute

Execute `control.exe` in the current working directory

Use case: Can be used to evade defensive countermeasures or to hide as a persistence mechanism

Privileges: User

WorkFolders

Execute

`WorkFolders` attempts to execute `control.exe`. By modifying the default value of the App Paths registry key for `control.exe` in `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe`, an attacker can achieve proxy execution.

Use case: Proxy execution of a malicious payload via App Paths registry hijacking.

Privileges: User

WorkFolders

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml
• IOC: WorkFolders.exe should not be run on a normal workstation
• IOC: Registry modification to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe

Resources

• https://www.ctus.io/2021/04/12/exploading/
• https://twitter.com/ElliotKillick/status/1449812843772227588