Detection rules › Splunk
Windows New Default File Association Value Set
The following analytic detects registry changes to the default file association value. It leverages data from the Endpoint data model, specifically monitoring registry paths under "HKCR\\shell\open\command\". This activity can be significant because, attackers might alter the default file associations in order to execute arbitrary scripts or payloads when a user opens a file, leading to potential code execution. If confirmed malicious, this technique can enable attackers to persist on the compromised host and execute further malicious commands, posing a severe threat to the environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1546.001 Event Triggered Execution: Change Default File Association |
| Privilege Escalation | T1546.001 Event Triggered Execution: Change Default File Association |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: tstats
tstats WHERE Registry.registry_path="*\\shell\\open\\command\\*" Registry.registry_path IN ("*HKCR\\*", "*HKEY_CLASSES_ROOT\\*") BY Registry.dest, Registry.user, Registry.registry_path, Registry.registry_key_name, Registry.registry_value_name, Registry.registry_value_data
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Registry.registry_path | eq |
|
Registry.registry_path | in |
|