From 95baee85fdc21131dbddda346a9a02ad8f2a0602 Mon Sep 17 00:00:00 2001 From: Elliot Killick Date: Mon, 16 Aug 2021 19:42:32 -0400 Subject: [PATCH 1/4] Create WorkFolders.yml --- yml/OSBinaries/WorkFolders.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 yml/OSBinaries/WorkFolders.yml diff --git a/yml/OSBinaries/WorkFolders.yml b/yml/OSBinaries/WorkFolders.yml new file mode 100644 index 0000000..564af66 --- /dev/null +++ b/yml/OSBinaries/WorkFolders.yml @@ -0,0 +1,22 @@ +--- +Name: WorkFolders.exe +Description: Work Folders +Author: 'Elliot Killick' +Created: '2021-08-16' +Commands: + - Command: WorkFolders.exe + Description: Execute control.exe in the current directory + Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism + Category: Execute + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218/ + OperatingSystem: Windows 8, Windows 8.1, Windows 10 +Full_Path: + - Path: C:\Windows\System32\WorkFolders.exe +Detection: + - IOC: WorkFolders.exe should not be run on a normal workstation +Acknowledgement: + - Person: Elliot Killick + Handle: '@elliotkillick' +--- From 692a3bf4c2b9efe2bb9b4de467bc56f6059e5152 Mon Sep 17 00:00:00 2001 From: Elliot Killick Date: Thu, 26 Aug 2021 12:49:43 -0400 Subject: [PATCH 2/4] Remove .exe from command and increase specificity --- yml/OSBinaries/WorkFolders.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/WorkFolders.yml b/yml/OSBinaries/WorkFolders.yml index 564af66..2f34799 100644 --- a/yml/OSBinaries/WorkFolders.yml +++ b/yml/OSBinaries/WorkFolders.yml @@ -4,8 +4,8 @@ Description: Work Folders Author: 'Elliot Killick' Created: '2021-08-16' Commands: - - Command: WorkFolders.exe - Description: Execute control.exe in the current directory + - Command: WorkFolders + Description: Execute control.exe in the current working directory Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism Category: Execute Privileges: User From 6fb1882a16a1b6e6796bb5a8ba9f808780f12fb6 Mon Sep 17 00:00:00 2001 From: Elliot Killick Date: Mon, 18 Oct 2021 23:38:45 -0400 Subject: [PATCH 3/4] Add resources section --- yml/OSBinaries/WorkFolders.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/WorkFolders.yml b/yml/OSBinaries/WorkFolders.yml index 2f34799..414d2f7 100644 --- a/yml/OSBinaries/WorkFolders.yml +++ b/yml/OSBinaries/WorkFolders.yml @@ -16,6 +16,8 @@ Full_Path: - Path: C:\Windows\System32\WorkFolders.exe Detection: - IOC: WorkFolders.exe should not be run on a normal workstation +Resources: + - Link: https://twitter.com/ElliotKillick/status/1449812843772227588 Acknowledgement: - Person: Elliot Killick Handle: '@elliotkillick' From a1d7fd00c92961158ef6c3261efc6f7f826f24c9 Mon Sep 17 00:00:00 2001 From: Elliot Killick Date: Thu, 21 Oct 2021 05:36:18 -0400 Subject: [PATCH 4/4] Acknowledge John Carroll and their resource --- yml/OSBinaries/WorkFolders.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yml/OSBinaries/WorkFolders.yml b/yml/OSBinaries/WorkFolders.yml index 414d2f7..0bdbb9f 100644 --- a/yml/OSBinaries/WorkFolders.yml +++ b/yml/OSBinaries/WorkFolders.yml @@ -17,8 +17,11 @@ Full_Path: Detection: - IOC: WorkFolders.exe should not be run on a normal workstation Resources: + - Link: https://www.ctus.io/2021/04/12/exploading/ - Link: https://twitter.com/ElliotKillick/status/1449812843772227588 Acknowledgement: + - Person: John Carroll + Handle: '@YoSignals' - Person: Elliot Killick Handle: '@elliotkillick' ---