LoFP / windows and third party software will create and modify these file associations during installation or upgrades. additional filters needs to be applied to tune environment specific false positives.

Techniques

• T1546.001

Sample rules

Windows New Default File Association Value Set

• source: splunk
• technicques:
  • T1546.001

Description

The following analytic detects registry changes to the default file association value. It leverages data from the Endpoint data model, specifically monitoring registry paths under “HKCR\\shell\open\command\”. This activity can be significant because, attackers might alter the default file associations in order to execute arbitrary scripts or payloads when a user opens a file, leading to potential code execution. If confirmed malicious, this technique can enable attackers to persist on the compromised host and execute further malicious commands, posing a severe threat to the environment.

Detection logic

| tstats `security_content_summariesonly` count  min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\shell\\open\\command\\*" Registry.registry_path IN ("*HKCR\\*", "*HKEY_CLASSES_ROOT\\*") by Registry.dest  Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `drop_dm_object_name(Registry)` 
| `windows_new_default_file_association_value_set_filter`