Add App Paths Hijacking (Proxy Execution) to WorkFolders.exe

yml/OSBinaries/WorkFolders.yml

@@ -13,16 +13,29 @@ Commands:
     OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11
     Tags:
       - Execute: EXE
+  - Command: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /ve /d "{PATH_ABSOLUTE:.exe}" /f & WorkFolders.exe
+    Description: WorkFolders.exe attempts to execute control.exe. By modifying the default value of the App Paths registry key for control.exe in HKCU, an attacker can achieve proxy execution.
+    Usecase: Proxy execution of a malicious payload via App Paths registry hijacking.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
 Full_Path:
   - Path: C:\Windows\System32\WorkFolders.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml
   - IOC: WorkFolders.exe should not be run on a normal workstation
+  - IOC: Registry modification to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe
 Resources:
   - Link: https://www.ctus.io/2021/04/12/exploading/
   - Link: https://twitter.com/ElliotKillick/status/1449812843772227588
+  - Link: https://gist.github.com/ghosts621/YOUR_NEW_GIST_LINK_HERE
 Acknowledgement:
   - Person: John Carroll
     Handle: '@YoSignals'
   - Person: Elliot Killick
     Handle: '@elliotkillick'
+  - Person: Naor Evgi
+    Handle: '@ghosts621'