diff --git a/yml/OSBinaries/WorkFolders.yml b/yml/OSBinaries/WorkFolders.yml
index f1930eaf..6b9ffd39 100644
--- a/yml/OSBinaries/WorkFolders.yml
+++ b/yml/OSBinaries/WorkFolders.yml
@@ -5,7 +5,7 @@ Author: Elliot Killick
 Created: 2021-08-16
 Commands:
   - Command: WorkFolders
-    Description: Execute control.exe in the current working directory
+    Description: Execute `control.exe` in the current working directory
     Usecase: Can be used to evade defensive countermeasures or to hide as a persistence mechanism
     Category: Execute
     Privileges: User
@@ -13,11 +13,23 @@ Commands:
     OperatingSystem: Windows 8, Windows 8.1, Windows 10, Windows 11
     Tags:
       - Execute: EXE
+      - Requires: Rename
+  - Command: WorkFolders
+    Description: '`WorkFolders` attempts to execute `control.exe`. By modifying the default value of the App Paths registry key for `control.exe` in `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe`, an attacker can achieve proxy execution.'
+    Usecase: Proxy execution of a malicious payload via App Paths registry hijacking.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
+      - Requires: Registry change
 Full_Path:
   - Path: C:\Windows\System32\WorkFolders.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml
   - IOC: WorkFolders.exe should not be run on a normal workstation
+  - IOC: Registry modification to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe
 Resources:
   - Link: https://www.ctus.io/2021/04/12/exploading/
   - Link: https://twitter.com/ElliotKillick/status/1449812843772227588
@@ -26,3 +38,5 @@ Acknowledgement:
     Handle: '@YoSignals'
   - Person: Elliot Killick
     Handle: '@elliotkillick'
+  - Person: Naor Evgi
+    Handle: '@ghosts621'