.. /WorkFolders.exe

Star

Paths:

• C:\Windows\System32\WorkFolders.exe

Resources:

• https://www.ctus.io/2021/04/12/exploading/
• https://twitter.com/ElliotKillick/status/1449812843772227588

Acknowledgements:

• John Carroll (@YoSignals)
• Elliot Killick (@elliotkillick)

Detections:

• Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml
• IOC: WorkFolders.exe should not be run on a normal workstation

Execute

1. Execute control.exe in the current working directory

   WorkFolders

   Use case

   Can be used to evade defensive countermeasures or to hide as a persistence mechanism

   Privileges required

   User

   Operating systems

   Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1218