{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/workfolders/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows Work Folders"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","masquerading","workfolders","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Windows Work Folders feature, intended for file server synchronization, can be abused to execute arbitrary code. Specifically, Work Folders automatically executes any Portable Executable (PE) named \u003ccode\u003econtrol.exe\u003c/code\u003e located in the same directory. Attackers can leverage this behavior by placing a malicious \u003ccode\u003econtrol.exe\u003c/code\u003e file in a Work Folders synced directory. When \u003ccode\u003eWorkFolders.exe\u003c/code\u003e is called, the malicious \u003ccode\u003econtrol.exe\u003c/code\u003e will be executed, potentially bypassing application control mechanisms. This behavior was publicly discussed in October 2021. This poses a risk to organizations leveraging Work Folders for legitimate purposes, as it provides a pathway for malware execution and potential privilege escalation. The attack is effective on systems where Work Folders are enabled and configured.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through an external mechanism (e.g., phishing, exploit) and establishes a foothold.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious executable renamed as \u003ccode\u003econtrol.exe\u003c/code\u003e into a directory that is synchronized by Windows Work Folders.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the \u003ccode\u003eWorkFolders.exe\u003c/code\u003e process, either manually or through scheduled task manipulation.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eWorkFolders.exe\u003c/code\u003e initiates the file synchronization process, and as part of its normal operation, attempts to execute \u003ccode\u003econtrol.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the presence of the malicious \u003ccode\u003econtrol.exe\u003c/code\u003e in the synchronized directory, the attacker's code is executed in the context of \u003ccode\u003eWorkFolders.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003econtrol.exe\u003c/code\u003e performs post-exploitation activities, such as establishing persistence, escalating privileges, or executing lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised host to propagate further into the network or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass application control solutions and execute arbitrary code. This can lead to privilege escalation, lateral movement, and data exfiltration. The impact is significant for organizations that rely on Work Folders for file synchronization. A successful attack gives the adversary a beachhead inside the environment with the potential to compromise sensitive data or critical systems. The severity depends on the privileges associated with the \u003ccode\u003eWorkFolders.exe\u003c/code\u003e process and the actions performed by the malicious \u003ccode\u003econtrol.exe\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Suspicious WorkFolders Control Execution\u0026quot; to your SIEM and tune for your environment. This rule detects \u003ccode\u003econtrol.exe\u003c/code\u003e execution by \u003ccode\u003eWorkFolders.exe\u003c/code\u003e outside of legitimate system paths.\u003c/li\u003e\n\u003cli\u003eInvestigate any execution of \u003ccode\u003econtrol.exe\u003c/code\u003e by \u003ccode\u003eWorkFolders.exe\u003c/code\u003e where the \u003ccode\u003econtrol.exe\u003c/code\u003e is not located in \u003ccode\u003eC:\\\\Windows\\\\System32\u003c/code\u003e or \u003ccode\u003eC:\\\\Windows\\\\SysWOW64\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events in Work Folders synchronized directories for executables named \u003ccode\u003econtrol.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eConsider disabling Work Folders if it is not actively used within the organization to eliminate the attack vector.\u003c/li\u003e\n\u003cli\u003eImplement Windows Information Protection (WIP) to protect data synced by Work Folders as referenced in the overview section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:22:00Z","date_published":"2024-01-09T14:22:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-workfolders-control-execution/","summary":"Adversaries may misuse Windows Work Folders to execute a masqueraded 'control.exe' file from a non-standard location, bypassing application controls and potentially escalating privileges.","title":"Signed Proxy Execution via MS Work Folders","url":"https://feed.craftedsignal.io/briefs/2024-01-09-workfolders-control-execution/"}],"language":"en","title":"CraftedSignal Threat Feed - Workfolders","version":"https://jsonfeed.org/version/1.1"}