sigmahighHunting

Execution via WorkFolders.exe

Detects using WorkFolders.exe to execute an arbitrary control.exe

MITRE ATT&CK

defense-evasion

Detection Query

selection:
  Image|endswith: \control.exe
  ParentImage|endswith: \WorkFolders.exe
filter:
  Image: C:\Windows\System32\control.exe
condition: selection and not filter

Author

Maxime Thiebaut (@0xThiebaut)

Created

2021-10-21

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://twitter.com/elliotkillick/status/1449812843772227588

Tags

attack.defense-evasionattack.t1218

Raw Content

title: Execution via WorkFolders.exe
id: 0bbc6369-43e3-453d-9944-cae58821c173
status: test
description: Detects using WorkFolders.exe to execute an arbitrary control.exe
references:
    - https://twitter.com/elliotkillick/status/1449812843772227588
author: Maxime Thiebaut (@0xThiebaut)
date: 2021-10-21
modified: 2022-12-25
tags:
    - attack.defense-evasion
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\control.exe'
        ParentImage|endswith: '\WorkFolders.exe'
    filter:
        Image: 'C:\Windows\System32\control.exe'
    condition: selection and not filter
falsepositives:
    - Legitimate usage of the uncommon Windows Work Folders feature.
level: high