{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-work-folders/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Work Folders","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","masquerading","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eWindows Work Folders is a Microsoft file server role that allows users to sync work files between their PCs and a central server. The WorkFolders.exe process, when called, will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share. Attackers can abuse this functionality by placing a malicious executable renamed to control.exe in a location synced by Work Folders, and then triggering WorkFolders.exe. This can lead to the execution of arbitrary code in a manner that bypasses application control policies, as WorkFolders.exe is a signed Microsoft binary. This technique has been observed in the wild and documented by security researchers. This allows attackers to execute code from locations outside the standard Windows directories, evading traditional detection mechanisms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system through an unspecified means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious executable and renames it to \u003ccode\u003econtrol.exe\u003c/code\u003e in a directory accessible to Work Folders.\u003c/li\u003e\n\u003cli\u003eThe attacker configures Windows Work Folders to synchronize the directory containing the malicious \u003ccode\u003econtrol.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim system synchronizes with the Work Folders server, copying the malicious \u003ccode\u003econtrol.exe\u003c/code\u003e to the local machine.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the \u003ccode\u003eWorkFolders.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eWorkFolders.exe\u003c/code\u003e executes the \u003ccode\u003econtrol.exe\u003c/code\u003e binary from the synced folder.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003econtrol.exe\u003c/code\u003e executes, performing attacker-defined actions such as establishing persistence, escalating privileges, or deploying additional malware.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution in a potentially elevated context, leveraging a signed Microsoft binary (\u003ccode\u003eWorkFolders.exe\u003c/code\u003e) to bypass security controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on a victim\u0026rsquo;s machine, potentially bypassing application control and other security measures. This can lead to a range of malicious activities, including data theft, system compromise, and lateral movement within the network. Given the legitimate use of Work Folders, identifying malicious executions can be challenging, potentially allowing attackers to maintain a persistent foothold. The lack of specific victim counts or industry targeting details in the source material limits a complete assessment of impact scope.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations where \u003ccode\u003eWorkFolders.exe\u003c/code\u003e is the parent process and \u003ccode\u003econtrol.exe\u003c/code\u003e is the child process, but \u003ccode\u003econtrol.exe\u003c/code\u003e is not located in a standard Windows system directory (Sigma rule: \u0026ldquo;Detect Suspicious WorkFolders Control Execution\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003econtrol.exe\u003c/code\u003e is executed from unusual or user-writable locations, especially if \u003ccode\u003eWorkFolders.exe\u003c/code\u003e is involved (see Attack Chain step 6).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) on Windows systems to capture the necessary data for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eReview the Microsoft documentation on Windows Information Protection (WIP) and consider implementing it to encrypt data on PCs using Work Folders.\u003c/li\u003e\n\u003cli\u003eImplement application control policies that restrict the execution of \u003ccode\u003econtrol.exe\u003c/code\u003e to authorized locations (e.g., \u003ccode\u003eC:\\Windows\\System32\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-workfolders-control-execution/","summary":"Attackers can abuse Windows Work Folders to execute a masqueraded control.exe file from untrusted locations, potentially bypassing application controls for defense evasion and privilege escalation.","title":"Signed Proxy Execution via MS Work Folders","url":"https://feed.craftedsignal.io/briefs/2024-01-03-workfolders-control-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows Work Folders","version":"https://jsonfeed.org/version/1.1"}