<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Workfolders - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/workfolders/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 14:22:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/workfolders/feed.xml" rel="self" type="application/rss+xml"/><item><title>Signed Proxy Execution via MS Work Folders</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-workfolders-control-execution/</link><pubDate>Tue, 09 Jan 2024 14:22:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-workfolders-control-execution/</guid><description>Adversaries may misuse Windows Work Folders to execute a masqueraded 'control.exe' file from a non-standard location, bypassing application controls and potentially escalating privileges.</description><content:encoded><![CDATA[<p>The Windows Work Folders feature, intended for file server synchronization, can be abused to execute arbitrary code. Specifically, Work Folders automatically executes any Portable Executable (PE) named <code>control.exe</code> located in the same directory. Attackers can leverage this behavior by placing a malicious <code>control.exe</code> file in a Work Folders synced directory. When <code>WorkFolders.exe</code> is called, the malicious <code>control.exe</code> will be executed, potentially bypassing application control mechanisms. This behavior was publicly discussed in October 2021. This poses a risk to organizations leveraging Work Folders for legitimate purposes, as it provides a pathway for malware execution and potential privilege escalation. The attack is effective on systems where Work Folders are enabled and configured.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a system through an external mechanism (e.g., phishing, exploit) and establishes a foothold.</li>
<li>The attacker drops a malicious executable renamed as <code>control.exe</code> into a directory that is synchronized by Windows Work Folders.</li>
<li>The attacker triggers the <code>WorkFolders.exe</code> process, either manually or through scheduled task manipulation.</li>
<li><code>WorkFolders.exe</code> initiates the file synchronization process, and as part of its normal operation, attempts to execute <code>control.exe</code>.</li>
<li>Due to the presence of the malicious <code>control.exe</code> in the synchronized directory, the attacker's code is executed in the context of <code>WorkFolders.exe</code>.</li>
<li>The malicious <code>control.exe</code> performs post-exploitation activities, such as establishing persistence, escalating privileges, or executing lateral movement.</li>
<li>The attacker uses the compromised host to propagate further into the network or exfiltrate sensitive data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to bypass application control solutions and execute arbitrary code. This can lead to privilege escalation, lateral movement, and data exfiltration. The impact is significant for organizations that rely on Work Folders for file synchronization. A successful attack gives the adversary a beachhead inside the environment with the potential to compromise sensitive data or critical systems. The severity depends on the privileges associated with the <code>WorkFolders.exe</code> process and the actions performed by the malicious <code>control.exe</code>.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Detect Suspicious WorkFolders Control Execution&quot; to your SIEM and tune for your environment. This rule detects <code>control.exe</code> execution by <code>WorkFolders.exe</code> outside of legitimate system paths.</li>
<li>Investigate any execution of <code>control.exe</code> by <code>WorkFolders.exe</code> where the <code>control.exe</code> is not located in <code>C:\\Windows\\System32</code> or <code>C:\\Windows\\SysWOW64</code>.</li>
<li>Monitor file creation events in Work Folders synchronized directories for executables named <code>control.exe</code>.</li>
<li>Consider disabling Work Folders if it is not actively used within the organization to eliminate the attack vector.</li>
<li>Implement Windows Information Protection (WIP) to protect data synced by Work Folders as referenced in the overview section.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>defense-evasion</category><category>masquerading</category><category>workfolders</category><category>windows</category></item></channel></rss>