Add App Paths Hijacking (Proxy Execution) to WorkFolders.exe#490
Merged
wietze merged 5 commits intoLOLBAS-Project:masterfrom Mar 16, 2026
Merged
Add App Paths Hijacking (Proxy Execution) to WorkFolders.exe#490wietze merged 5 commits intoLOLBAS-Project:masterfrom
wietze merged 5 commits intoLOLBAS-Project:masterfrom
Conversation
Hi team, Submitting a new execution technique for `WorkFolders.exe`. Currently, the existing technique relies on dropping a payload named `control.exe` into the Current Working Directory (CWD). **New Finding (App Paths Hijacking):** By modifying the `(Default)` value of the `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe` registry key, `WorkFolders.exe` will seamlessly proxy-execute the arbitrary executable defined in the registry. * **Privileges:** User (HKCU modification requires no elevation). * **POC:** I've attached a PowerShell POC in the Resources demonstrating the registry modification, execution, and clean-up. Added the new command block, registry detection IOC, Gist resource link, and acknowledgement. Let me know if you need any adjustments!
Removed a placeholder link from WorkFolders.yml.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi team,
Submitting a new execution technique for
WorkFolders.exe.Currently, the existing technique relies on dropping a payload named
control.exeinto the Current Working Directory (CWD).New Finding (App Paths Hijacking):
By modifying the
(Default)value of theHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exeregistry key,WorkFolders.exewill seamlessly proxy-execute the arbitrary executable defined in the registry.Added the new command block, registry detection IOC, Gist resource link, and acknowledgement. Let me know if you need any adjustments!