← Back to Explore
T1546.001
Change Default File Association
Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility.(Citation: Microsoft Change Default Programs)(Citation: Microsoft File ...
Windows
7
Detections
2
Sources
1
Threat Actors
BY SOURCE
5sigma2splunk_escu
PROCEDURES (5)
Process Creation Monitoring2 detections
Auto-extracted: 2 detections for process creation monitoring
Bypass2 detections
Auto-extracted: 2 detections for bypass
Bypass1 detections
Auto-extracted: 1 detections for bypass
Registry Monitoring1 detections
Auto-extracted: 1 detections for registry monitoring
Persist1 detections
Auto-extracted: 1 detections for persist
THREAT ACTORS (1)
DETECTIONS (7)
Change Default File Association To Executable Via Assoc
sigmahigh
Change Default File Association Via Assoc
sigmalow
Registry Modification of MS-settings Protocol Handler
sigmamedium
Shell Open Registry Keys Manipulation
sigmahigh
Suspicious Shell Open Command Registry Modification
sigmamedium
Windows Change File Association Command To Notepad
splunk_escu
Windows New Default File Association Value Set
splunk_escu