Signed Proxy Execution via MS Work Folders

Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2022/03/02"
  3integration = ["windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2024/10/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic", "Austin Songer"]
 11description = """
 12Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working
 13directory. Misuse of Windows Work Folders could indicate malicious activity.
 14"""
 15from = "now-9m"
 16index = [
 17    "winlogbeat-*",
 18    "logs-windows.forwarded*",
 19    "logs-windows.sysmon_operational-*",
 20    "endgame-*",
 21    "logs-system.security*",
 22    "logs-m365_defender.event-*",
 23    "logs-sentinel_one_cloud_funnel.*"
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Signed Proxy Execution via MS Work Folders"
 28note = """## Triage and analysis
 29
 30### Investigating Signed Proxy Execution via MS Work Folders
 31
 32Work Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share.
 33
 34Using Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.
 35
 36#### Possible investigation steps
 37
 38- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 39    - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default.
 40- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.
 41- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic.
 42- Determine if control.exe was synced to sync share, indicating potential lateral movement.
 43- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to
 44disk from a separate binary.
 45
 46### False positive analysis
 47
 48- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument.
 49
 50### Response and remediation
 51
 52- Initiate the incident response process based on the outcome of the triage.
 53- Isolate the involved host to prevent further post-compromise behavior.
 54- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.
 55- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.
 56- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.
 57- Confirm with the user whether this was expected or not, and reset their password.
 58"""
 59references = [
 60    "https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview",
 61    "https://twitter.com/ElliotKillick/status/1449812843772227588",
 62    "https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/",
 63]
 64risk_score = 47
 65rule_id = "ad0d2742-9a49-11ec-8d6b-acde48001122"
 66severity = "medium"
 67tags = [
 68    "Domain: Endpoint",
 69    "OS: Windows",
 70    "Use Case: Threat Detection",
 71    "Tactic: Defense Evasion",
 72    "Resources: Investigation Guide",
 73    "Data Source: Elastic Endgame",
 74    "Data Source: System",
 75    "Data Source: Microsoft Defender for Endpoint",
 76    "Data Source: Sysmon",
 77    "Data Source: SentinelOne",
 78]
 79timestamp_override = "event.ingested"
 80type = "eql"
 81
 82query = '''
 83process where host.os.type == "windows" and event.type == "start"
 84    and process.name : "control.exe" and process.parent.name : "WorkFolders.exe"
 85    and not process.executable : ("?:\\Windows\\System32\\control.exe", "?:\\Windows\\SysWOW64\\control.exe")
 86'''
 87
 88
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91[[rule.threat.technique]]
 92id = "T1218"
 93name = "System Binary Proxy Execution"
 94reference = "https://attack.mitre.org/techniques/T1218/"
 95
 96
 97[rule.threat.tactic]
 98id = "TA0005"
 99name = "Defense Evasion"
100reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Investigating Signed Proxy Execution via MS Work Folders

Work Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share.

Using Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.

Possible investigation steps

  • Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
    • Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default.
  • Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.
  • Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic.
  • Determine if control.exe was synced to sync share, indicating potential lateral movement.
  • Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to disk from a separate binary.

False positive analysis

  • Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument.

Response and remediation

  • Initiate the incident response process based on the outcome of the triage.
  • Isolate the involved host to prevent further post-compromise behavior.
  • Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.
  • If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.
  • Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.
  • Confirm with the user whether this was expected or not, and reset their password.

References

Related rules

to-top