Execution via WorkFolders.exe
Detects using WorkFolders.exe to execute an arbitrary control.exe
Sigma rule (View on GitHub)
1title: Execution via WorkFolders.exe
2id: 0bbc6369-43e3-453d-9944-cae58821c173
3status: test
4description: Detects using WorkFolders.exe to execute an arbitrary control.exe
5references:
6 - https://twitter.com/elliotkillick/status/1449812843772227588
7author: Maxime Thiebaut (@0xThiebaut)
8date: 2021/10/21
9modified: 2022/12/25
10tags:
11 - attack.defense_evasion
12 - attack.t1218
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\control.exe'
19 ParentImage|endswith: '\WorkFolders.exe'
20 filter:
21 Image: 'C:\Windows\System32\control.exe'
22 condition: selection and not filter
23falsepositives:
24 - Legitimate usage of the uncommon Windows Work Folders feature.
25level: high
References
Related rules
- Renamed MegaSync Execution
- Microsoft Workflow Compiler Execution
- Application Whitelisting Bypass via Dxcap.exe
- DNS Query From Process with Double File Extension
- Download by Process with Double File Extension