This detection rule identifies the misuse of Windows Work Folders for execution of a potentially masqueraded 'control.exe' file within the current working directory. Windows Work Folders are role services designed to allow users to access their work files from various devices, providing the ability to sync files. When triggered, Work Folders can execute any Portable Executable (PE) named 'control.exe' before allowing access to a synced share. By manipulating this process, an attacker may execute a malicious variant of 'control.exe', thereby circumventing application controls and gaining unauthorized access or elevated privileges. The rule leverages EQL (Event Query Language) to discern abnormal execution patterns by correlating the processes linked to 'WorkFolders.exe' and 'control.exe'. If executed under suspicious conditions, it indicates potential adversarial behavior, highlighting the necessity for thorough investigation and response to mitigate risks related to malicious activity.