New File Association Using Exefile

Aug 12, 2024 · attack.defense-evasion ·

Detects the abuse of the exefile handler in new file association. Used for bypass of security products.

Sigma rule (View on GitHub)

 1title: New File Association Using Exefile
 2id: 44a22d59-b175-4f13-8c16-cbaef5b581ff
 3status: test
 4description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products.
 5references:
 6    - https://twitter.com/mrd0x/status/1461041276514623491
 7author: Andreas Hunkeler (@Karneades)
 8date: 2021-11-19
 9modified: 2023-08-17
10tags:
11    - attack.defense-evasion
12logsource:
13    category: registry_set
14    product: windows
15detection:
16    selection:
17        TargetObject|contains: 'Classes\.'
18        Details: 'exefile'
19    condition: selection
20falsepositives:
21    - Unknown
22level: high

References

x.com

Read More

Related rules

AD Object WriteDAC Access
ADS Zone.Identifier Deleted By Uncommon Application
AMSI Bypass Pattern Assembly GetType
APT PRIVATELOG Image Load Pattern
APT27 - Emissary Panda Activity

New File Association Using Exefile

Sigma rule (View on GitHub)

References

x.com

Related rules