Suspicious Changes To File Associations

Description

This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Malware

Alert Volume

This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Privilege Escalation
Persistence

MITRE ATT&CK Techniques

Event Triggered Execution

Change Default File Association

MITRE Threat Groups

Kimsuky

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Suspicious Changes To File Associations Help

To successfully implement this search you need to be ingesting information on registry changes that include the name of the process responsible for the changes from your endpoints into the Endpoint datamodel in the Processes and Registry nodes.

   Search

Open in Search