EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Potential Attachment Manager Settings Associations Tamper

Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)

Detection Query

selection_main:
  TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\
selection_value_default_file_type_rsik:
  TargetObject|endswith: \DefaultFileTypeRisk
  Details: DWORD (0x00006152)
selection_value_low_risk_filetypes:
  TargetObject|endswith: \LowRiskFileTypes
  Details|contains:
    - .zip;
    - .rar;
    - .exe;
    - .bat;
    - .com;
    - .cmd;
    - .reg;
    - .msi;
    - .htm;
    - .html;
condition: selection_main and 1 of selection_value_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-08-01

Data Sources

windowsRegistry Set Events

Platforms

windows

References

Tags

attack.defense-evasion
Raw Content
title: Potential Attachment Manager Settings Associations Tamper
id: a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47
status: test
description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
references:
    - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
    - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-08-17
tags:
    - attack.defense-evasion
logsource:
    category: registry_set
    product: windows
detection:
    selection_main:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\'
    selection_value_default_file_type_rsik:
        TargetObject|endswith: '\DefaultFileTypeRisk'
        Details: 'DWORD (0x00006152)'
    selection_value_low_risk_filetypes:
        TargetObject|endswith: '\LowRiskFileTypes'
        Details|contains: # Add more as you see fit
            - '.zip;'
            - '.rar;'
            - '.exe;'
            - '.bat;'
            - '.com;'
            - '.cmd;'
            - '.reg;'
            - '.msi;'
            - '.htm;'
            - '.html;'
    condition: selection_main and 1 of selection_value_*
falsepositives:
    - Unlikely
level: high