New File Association Using Exefile
Detects the abuse of the exefile handler in new file association. Used for bypass of security products.
Sigma rule (View on GitHub)
1title: New File Association Using Exefile
2id: 44a22d59-b175-4f13-8c16-cbaef5b581ff
3status: test
4description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products.
5references:
6 - https://twitter.com/mrd0x/status/1461041276514623491
7author: Andreas Hunkeler (@Karneades)
8date: 2021/11/19
9modified: 2023/08/17
10tags:
11 - attack.defense_evasion
12logsource:
13 category: registry_set
14 product: windows
15detection:
16 selection:
17 TargetObject|contains: 'Classes\.'
18 Details: 'exefile'
19 condition: selection
20falsepositives:
21 - Unknown
22level: high
References
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- Bypass UAC Using DelegateExecute