New File Association Using Exefile
Detects the abuse of the exefile handler in new file association. Used for bypass of security products.
Sigma rule (View on GitHub)
1title: New File Association Using Exefile
2id: 44a22d59-b175-4f13-8c16-cbaef5b581ff
3status: test
4description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products.
5references:
6 - https://twitter.com/mrd0x/status/1461041276514623491
7author: Andreas Hunkeler (@Karneades)
8date: 2021-11-19
9modified: 2023-08-17
10tags:
11 - attack.defense-evasion
12logsource:
13 category: registry_set
14 product: windows
15detection:
16 selection:
17 TargetObject|contains: 'Classes\.'
18 Details: 'exefile'
19 condition: selection
20falsepositives:
21 - Unknown
22level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- AD Object WriteDAC Access
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators