This detection rule identifies potentially malicious activity where the executable 'control.exe' is launched by 'WorkFolders.exe', a legitimate Windows process typically associated with the Windows Work Folders feature. The rule functions by monitoring process creation events on Windows systems. It specifically looks for instances where 'control.exe' is spawned with 'WorkFolders.exe' listed as its parent process. The detection logic employs a selection condition that checks if the image of the created process ends with 'control.exe' and its parent process ends with 'WorkFolders.exe'. A filtering condition is also applied to exclude legitimate instances where 'control.exe' runs as expected within the system directory, ensuring that only suspicious executions are flagged. Given that 'WorkFolders.exe' is not a commonly used feature, this detection could help pinpoint attempts to evade detection by using a benign-looking parent process. However, it should be noted that there are legitimate scenarios for this behavior which could lead to false positives. Therefore, further investigation is warranted when alerts are generated.