title: Change Default File Association To Executable Via Assoc
id: ae6f14e6-14de-45b0-9f44-c0986f50dc89
related:
    - id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061
      type: derived
status: test
description: |
    Detects when a program changes the default file association of any extension to an executable.
    When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2023-03-06
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cli:
        CommandLine|contains|all:
            - 'assoc '
            - 'exefile'
    filter:
        CommandLine|contains: '.exe=exefile'
    condition: all of selection_* and not filter
falsepositives:
    - Unknown
level: high

title: Shell Open Registry Keys Manipulation
id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
related:
    - id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
      type: similar
status: test
description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
references:
    - https://github.com/hfiref0x/UACME
    - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
    - https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass
    - https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-01-13
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1548.002
    - attack.t1546.001
logsource:
    category: registry_event
    product: windows
detection:
    selection1:
        EventType: SetValue
        TargetObject|endswith: 'Classes\ms-settings\shell\open\command\SymbolicLinkValue'
        Details|contains: '\Software\Classes\{'
    selection2:
        TargetObject|endswith: 'Classes\ms-settings\shell\open\command\DelegateExecute'
    selection3:
        EventType: SetValue
        TargetObject|endswith:
            - 'Classes\ms-settings\shell\open\command\(Default)'
            - 'Classes\exefile\shell\open\command\(Default)'
    filter_sel3:
        Details: '(Empty)'
    condition: selection1 or selection2 or (selection3 and not filter_sel3)
falsepositives:
    - Unknown
level: high

title: Registry Modification of MS-settings Protocol Handler
id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
related:
    - id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
      type: similar
status: test
description: |
    Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence.
    Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.
references:
    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
    - https://www.trendmicro.com/en_us/research/25/f/water-curse.html
author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2021-12-20
modified: 2026-01-24
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.defense-impairment
    - attack.t1548.002
    - attack.t1546.001
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection_reg_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_pwsh_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'powershell.exe'
              - 'pwsh.dll'
    selection_reg_cli:
        CommandLine|contains: 'add'
    selection_pwsh_cli:
        CommandLine|contains:
            - 'New-ItemProperty'
            - 'Set-ItemProperty'
            - 'ni '
            - 'sp '
    selection_cli_key:
        CommandLine|contains: '\ms-settings\shell\open\command'
    condition: (all of selection_reg_* or all of selection_pwsh_*) and selection_cli_key
falsepositives:
    - Unknown
level: medium

title: Suspicious Shell Open Command Registry Modification
id: 9e8894c0-0ae0-11ef-9d85-1f2942bec57c
status: experimental
description: |
    Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.
    Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files,
    and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.
references:
    - https://www.trendmicro.com/en_us/research/25/f/water-curse.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1548.002
    - attack.t1546.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\shell\open\command\'
        Details|contains:
            - '\$Recycle.Bin\'
            - '\AppData\Local\Temp\'
            - '\Contacts\'
            - '\Music\'
            - '\PerfLogs\'
            - '\Photos\'
            - '\Pictures\'
            - '\Users\Public\'
            - '\Videos\'
            - '\Windows\Temp\'
            - '%AppData%'
            - '%LocalAppData%'
            - '%Temp%'
            - '%tmp%'
    condition: selection
falsepositives:
    - Legitimate software installations or updates that modify the shell open command registry keys to these locations.
level: medium

title: Change Default File Association Via Assoc
id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061
related:
    - id: ae6f14e6-14de-45b0-9f44-c0986f50dc89
      type: similar
status: test
description: |
    Detects file association changes using the builtin "assoc" command.
    When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-03-06
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cli:
        CommandLine|contains: 'assoc'
    condition: all of selection_*
falsepositives:
    - Admin activity
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution/info.yml