Detectionhightest

Execution via WorkFolders.exe

Detects using WorkFolders.exe to execute an arbitrary control.exe

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Maxime ThiebautCreated Thu Oct 21Updated Sun Dec 250bbc6369-43e3-453d-9944-cae58821c173windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '\control.exe'
        ParentImage|endswith: '\WorkFolders.exe'
    filter:
        Image: 'C:\Windows\System32\control.exe'
    condition: selection and not filter

False Positives

Legitimate usage of the uncommon Windows Work Folders feature.

References

Resolving title…

twitter.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1218 · System Binary Proxy Execution

Rule Metadata

Rule ID

0bbc6369-43e3-453d-9944-cae58821c173

Status

test

Level

high

Type

Detection

Created

Thu Oct 21

Modified

Sun Dec 25

Author

Maxime Thiebaut

Path

rules/windows/process_creation/proc_creation_win_susp_workfolders.yml

Raw Tags

attack.defense-evasionattack.t1218

View on GitHub