Signed Proxy Execution via MS Work Folders
Adversaries may misuse Windows Work Folders to execute a masqueraded 'control.exe' file from a non-standard location, bypassing application controls and potentially escalating privileges.
The Windows Work Folders feature, intended for file server synchronization, can be abused to execute arbitrary code. Specifically, Work Folders automatically executes any Portable Executable (PE) named control.exe located in the same directory. Attackers can leverage this behavior by placing a malicious control.exe file in a Work Folders synced directory. When WorkFolders.exe is called, the malicious control.exe will be executed, potentially bypassing application control mechanisms. This behavior was publicly discussed in October 2021. This poses a risk to organizations leveraging Work Folders for legitimate purposes, as it provides a pathway for malware execution and potential privilege escalation. The attack is effective on systems where Work Folders are enabled and configured.
Attack Chain
- An attacker gains initial access to a system through an external mechanism (e.g., phishing, exploit) and establishes a foothold.
- The attacker drops a malicious executable renamed as
control.exeinto a directory that is synchronized by Windows Work Folders. - The attacker triggers the
WorkFolders.exeprocess, either manually or through scheduled task manipulation. WorkFolders.exeinitiates the file synchronization process, and as part of its normal operation, attempts to executecontrol.exe.- Due to the presence of the malicious
control.exein the synchronized directory, the attacker's code is executed in the context ofWorkFolders.exe. - The malicious
control.exeperforms post-exploitation activities, such as establishing persistence, escalating privileges, or executing lateral movement. - The attacker uses the compromised host to propagate further into the network or exfiltrate sensitive data.
Impact
Successful exploitation allows attackers to bypass application control solutions and execute arbitrary code. This can lead to privilege escalation, lateral movement, and data exfiltration. The impact is significant for organizations that rely on Work Folders for file synchronization. A successful attack gives the adversary a beachhead inside the environment with the potential to compromise sensitive data or critical systems. The severity depends on the privileges associated with the WorkFolders.exe process and the actions performed by the malicious control.exe.
Recommendation
- Deploy the Sigma rule "Detect Suspicious WorkFolders Control Execution" to your SIEM and tune for your environment. This rule detects
control.exeexecution byWorkFolders.exeoutside of legitimate system paths. - Investigate any execution of
control.exebyWorkFolders.exewhere thecontrol.exeis not located inC:\\Windows\\System32orC:\\Windows\\SysWOW64. - Monitor file creation events in Work Folders synchronized directories for executables named
control.exe. - Consider disabling Work Folders if it is not actively used within the organization to eliminate the attack vector.
- Implement Windows Information Protection (WIP) to protect data synced by Work Folders as referenced in the overview section.
Detection coverage 2
Detect Suspicious WorkFolders Control Execution
mediumDetects the execution of control.exe by WorkFolders.exe from a non-standard directory, indicating potential abuse of the Work Folders feature for defense evasion.
Detect Control.exe Execution from Non-Standard Path
mediumDetects when control.exe is executed from a path other than the system directories, which could indicate a masquerading attack via WorkFolders.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
filename
| Type | Value |
|---|---|
| filename | control.exe |