From 62a81812efee695519c2668933788a0bd2c19cb5 Mon Sep 17 00:00:00 2001
From: ghosts621 <97026636+ghosts621@users.noreply.github.com>
Date: Sun, 22 Feb 2026 14:59:26 +0200
Subject: [PATCH] Add App Paths Hijacking (Proxy Execution) to WorkFolders.exe

Hi team,

Submitting a new execution technique for `WorkFolders.exe`.

Currently, the existing technique relies on dropping a payload named `control.exe` into the Current Working Directory (CWD).

**New Finding (App Paths Hijacking):**
By modifying the `(Default)` value of the `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe` registry key, `WorkFolders.exe` will seamlessly proxy-execute the arbitrary executable defined in the registry.

* **Privileges:** User (HKCU modification requires no elevation).
* **POC:** I've attached a PowerShell POC in the Resources demonstrating the registry modification, execution, and clean-up.

Added the new command block, registry detection IOC, Gist resource link, and acknowledgement. Let me know if you need any adjustments!
---
 yml/OSBinaries/WorkFolders.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/yml/OSBinaries/WorkFolders.yml b/yml/OSBinaries/WorkFolders.yml
index f1930eaf..ed792d06 100644
--- a/yml/OSBinaries/WorkFolders.yml
+++ b/yml/OSBinaries/WorkFolders.yml
@@ -13,16 +13,29 @@ Commands:
     OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11
     Tags:
       - Execute: EXE
+  - Command: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /ve /d "{PATH_ABSOLUTE:.exe}" /f & WorkFolders.exe
+    Description: WorkFolders.exe attempts to execute control.exe. By modifying the default value of the App Paths registry key for control.exe in HKCU, an attacker can achieve proxy execution.
+    Usecase: Proxy execution of a malicious payload via App Paths registry hijacking.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
 Full_Path:
   - Path: C:\Windows\System32\WorkFolders.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml
   - IOC: WorkFolders.exe should not be run on a normal workstation
+  - IOC: Registry modification to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe
 Resources:
   - Link: https://www.ctus.io/2021/04/12/exploading/
   - Link: https://twitter.com/ElliotKillick/status/1449812843772227588
+  - Link: https://gist.github.com/ghosts621/YOUR_NEW_GIST_LINK_HERE
 Acknowledgement:
   - Person: John Carroll
     Handle: '@YoSignals'
   - Person: Elliot Killick
     Handle: '@elliotkillick'
+  - Person: Naor Evgi
+    Handle: '@ghosts621'