Execution via WorkFolders.exe
Detects using WorkFolders.exe to execute an arbitrary control.exe
Sigma rule (View on GitHub)
1title: Execution via WorkFolders.exe
2id: 0bbc6369-43e3-453d-9944-cae58821c173
3status: test
4description: Detects using WorkFolders.exe to execute an arbitrary control.exe
5references:
6 - https://twitter.com/elliotkillick/status/1449812843772227588
7author: Maxime Thiebaut (@0xThiebaut)
8date: 2021-10-21
9modified: 2022-12-25
10tags:
11 - attack.defense-evasion
12 - attack.t1218
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\control.exe'
19 ParentImage|endswith: '\WorkFolders.exe'
20 filter:
21 Image: 'C:\Windows\System32\control.exe'
22 condition: selection and not filter
23falsepositives:
24 - Legitimate usage of the uncommon Windows Work Folders feature.
25level: high
References
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE