← Back to Explore
sigmahighHunting
Potential Attachment Manager Settings Associations Tamper
Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
Detection Query
selection_main:
TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\
selection_value_default_file_type_rsik:
TargetObject|endswith: \DefaultFileTypeRisk
Details: DWORD (0x00006152)
selection_value_low_risk_filetypes:
TargetObject|endswith: \LowRiskFileTypes
Details|contains:
- .zip;
- .rar;
- .exe;
- .bat;
- .com;
- .cmd;
- .reg;
- .msi;
- .htm;
- .html;
condition: selection_main and 1 of selection_value_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-08-01
Data Sources
windowsRegistry Set Events
Platforms
windows
References
Tags
attack.defense-evasion
Raw Content
title: Potential Attachment Manager Settings Associations Tamper
id: a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47
status: test
description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
references:
- https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
- https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-08-17
tags:
- attack.defense-evasion
logsource:
category: registry_set
product: windows
detection:
selection_main:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\'
selection_value_default_file_type_rsik:
TargetObject|endswith: '\DefaultFileTypeRisk'
Details: 'DWORD (0x00006152)'
selection_value_low_risk_filetypes:
TargetObject|endswith: '\LowRiskFileTypes'
Details|contains: # Add more as you see fit
- '.zip;'
- '.rar;'
- '.exe;'
- '.bat;'
- '.com;'
- '.cmd;'
- '.reg;'
- '.msi;'
- '.htm;'
- '.html;'
condition: selection_main and 1 of selection_value_*
falsepositives:
- Unlikely
level: high