Change Default File Association Via Assoc

 1title: Change Default File Association Via Assoc
 2id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061
 3related:
 4    - id: ae6f14e6-14de-45b0-9f44-c0986f50dc89
 5      type: similar
 6status: test
 7description: |
 8    Detects file association changes using the builtin "assoc" command.
 9    When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.    
10references:
11    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md
12author: Timur Zinniatullin, oscd.community
13date: 2019-10-21
14modified: 2023-03-06
15tags:
16    - attack.privilege-escalation
17    - attack.persistence
18    - attack.t1546.001
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\cmd.exe'
25        - OriginalFileName: 'Cmd.Exe'
26    selection_cli:
27        CommandLine|contains: 'assoc'
28    condition: all of selection_*
29fields:
30    - Image
31    - CommandLine
32    - User
33    - LogonGuid
34    - Hashes
35    - ParentProcessGuid
36    - ParentCommandLine
37falsepositives:
38    - Admin activity
39level: low