New File Association Using Exefile

Aug 17, 2023 · attack.defense_evasion ·

Detects the abuse of the exefile handler in new file association. Used for bypass of security products.

Sigma rule (View on GitHub)

 1title: New File Association Using Exefile
 2id: 44a22d59-b175-4f13-8c16-cbaef5b581ff
 3status: test
 4description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products.
 5references:
 6    - https://twitter.com/mrd0x/status/1461041276514623491
 7author: Andreas Hunkeler (@Karneades)
 8date: 2021/11/19
 9modified: 2023/08/17
10tags:
11    - attack.defense_evasion
12logsource:
13    category: registry_set
14    product: windows
15detection:
16    selection:
17        TargetObject|contains: 'Classes\.'
18        Details: 'exefile'
19    condition: selection
20falsepositives:
21    - Unknown
22level: high

References

Something went wrong, but don’t fret — let’s give it another shot.

Read More

Related rules

Activate Suppression of Windows Security Center Notifications
Add DisallowRun Execution to Registry
Allow RDP Remote Assistance Feature
Blackbyte Ransomware Registry
Bypass UAC Using DelegateExecute