diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml new file mode 100644 index 000000000..09996b0c2 --- /dev/null +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -0,0 +1,76 @@ +[metadata] +creation_date = "2022/03/02" +maturity = "production" +updated_date = "2022/03/02" + +[rule] +author = ["Elastic", "Austin Songer"] +description = """ +Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working +directory. Misuse of Windows Work Folders could indicate malicious activity. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Signed Proxy Execution via MS WorkFolders" +note = """## Triage and analysis + +### Investigating control.exe Execution via Work Folders in Current Working Directory + +Work Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows for users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named `control.exe` as an argument before accessing the synced share. + +Using Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges. + +#### Possible investigation steps: +- Investigate the process tree starting with parent process WorkFolders.exe and child process control.exe to determine if other child processes spawned during execution. +- Trace the activity related to the `control.exe` binary to determine continued intrusion activity on the host. +- Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary as it resides in the System32 directory by default. +- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic generated +- Determine if control.exe was synced to sync share, indicating potential lateral movement. +- Review where control.exe originated from on the host in terms of delivery such as email, web download or written to disk from a seperate binary. + +### False Positive Analysis +- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious `control.exe` is passed as an argument. + +### Response and Remediation +- If identified as a compromise, engage incident response processes and policies. +- Take immediate action to review, investigate and potentially isolate activity to prevent further post-compromise +behavior. +- Review the Work Folders synced share to determine if the 'control.exe' was shared and if so remove it. +- If no lateral movement was identified during investigation, take the effected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation. +- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders. +- Confirm with user whether this was expected or not and reset their password. +""" +references = [ + "https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview", + "https://twitter.com/ElliotKillick/status/1449812843772227588", + "https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/", +] +risk_score = 47 +rule_id = "ad0d2742-9a49-11ec-8d6b-acde48001122" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type in ("start","process_started") + and process.name : "control.exe" and process.parent.name : "WorkFolders.exe" + and not process.executable : ("?:\\Windows\\System32\\control.exe", "?:\\Windows\\SysWOW64\\control.exe") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "Signed Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +