Add App Paths Hijacking (Proxy Execution) to WorkFolders.exe

yml/OSBinaries/WorkFolders.yml

@@ -5,19 +5,31 @@ Author: Elliot Killick
 Created: 2021-08-16
 Commands:
   - Command: WorkFolders
-    Description: Execute control.exe in the current working directory
+    Description: Execute `control.exe` in the current working directory
     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
     Category: Execute
     Privileges: User
     MitreID: T1218
     OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11
     Tags:
       - Execute: EXE
+      - Requires: Rename
+  - Command: WorkFolders
+    Description: '`WorkFolders` attempts to execute `control.exe`. By modifying the default value of the App Paths registry key for `control.exe` in `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe`, an attacker can achieve proxy execution.'
+    Usecase: Proxy execution of a malicious payload via App Paths registry hijacking.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
+      - Requires: Registry change
 Full_Path:
   - Path: C:\Windows\System32\WorkFolders.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml
   - IOC: WorkFolders.exe should not be run on a normal workstation
+  - IOC: Registry modification to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe
 Resources:
   - Link: https://www.ctus.io/2021/04/12/exploading/
   - Link: https://twitter.com/ElliotKillick/status/1449812843772227588
@@ -26,3 +38,5 @@ Acknowledgement:
     Handle: '@YoSignals'
   - Person: Elliot Killick
     Handle: '@elliotkillick'
+  - Person: Naor Evgi
+    Handle: '@ghosts621'