Change Default File Association

Detect changes to default File Association handlers.

id:26f0ebab-b315-492d-a5be-aa665fba2f35 categories:hunt confidence:medium os:windows created:11/30/2018 updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Persistence techniques:T1042 Change Default File Association

Query

sequence by unique_pid with maxspan=1s
  [ registry where registry_path == "*\\SOFTWARE\\Classes\\*\\*"]
  [ registry where registry_path == "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\GlobalAssocChangedCounter"]
| unique_count process_name, registry_path

Detonation

Atomic Red Team: T1042

Contributors

• Endgame