Change Default File Association

DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
    "SOFTWARE\\Classes\\",
    "HKEY_CLASSES_ROOT\\"
  )
| where RegistryKey matches regex @"\\shell\\open\\command"
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryValueData !has_any (
    "C:\\Windows\\system32\\",
    "C:\\Program Files\\",
    "C:\\Program Files (x86)\\"
  )
| extend Extension = extract(@"Classes\\(\.\w+)\\", 1, RegistryKey)
| extend SuspiciousHandler = RegistryValueData has_any (
    "powershell", "cmd.exe", "wscript", "cscript", "mshta",
    "rundll32", "regsvr32", "certutil", "bitsadmin", "AppData", "Temp", "ProgramData"
  )
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey,
         RegistryValueName, RegistryValueData, Extension, SuspiciousHandler,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13 OR EventCode=14)
| where match(TargetObject, "\\\\Classes\\\\\.[^\\\\]+\\\\shell\\\\open\\\\command")
| eval IsSuspiciousValue=if(match(lower(Details), "(powershell|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|appdata|\\\\temp\\\\|programdata)"), 1, 0)
| eval Extension=mvindex(split(TargetObject, "\\\\"), 4)
| eval IsUserHive=if(match(TargetObject, "HKU\\\\|HKCU\\\\"), 1, 0)
| where IsSuspiciousValue=1 OR IsUserHive=1
| table _time, host, User, EventCode, TargetObject, Details, Extension, IsSuspiciousValue, IsUserHive, Image, CommandLine
| sort - _time

registry where event.type in ("creation", "change") and registry.path : ("*\\SOFTWARE\\Classes\\*\\shell\\open\\command*", "*\\HKEY_CLASSES_ROOT\\*\\shell\\open\\command*") and registry.data.strings : ("*powershell*", "*cmd.exe*", "*wscript*", "*cscript*", "*mshta*", "*rundll32*", "*regsvr32*", "*certutil*", "*bitsadmin*", "*AppData*", "*\\Temp\\*", "*ProgramData*") and not registry.data.strings : ("C:\\Windows\\system32\\*", "C:\\Program Files\\*", "C:\\Program Files (x86)\\*")

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time, sourceip, username, QIDNAME(qid) AS event_name, "TargetObject", "Details", "Image" FROM events WHERE LOGSOURCETYPEID = 12 AND ("EventID" = '12' OR "EventID" = '13' OR "EventID" = '14') AND ("TargetObject" ILIKE '%Classes%shell%open%command%' OR "TargetObject" ILIKE '%HKCR%shell%open%command%') AND ("Details" ILIKE '%powershell%' OR "Details" ILIKE '%cmd.exe%' OR "Details" ILIKE '%wscript%' OR "Details" ILIKE '%cscript%' OR "Details" ILIKE '%mshta%' OR "Details" ILIKE '%rundll32%' OR "Details" ILIKE '%regsvr32%' OR "Details" ILIKE '%certutil%' OR "Details" ILIKE '%bitsadmin%' OR "Details" ILIKE '%AppData%' OR "Details" ILIKE '%\\Temp\\%' OR "Details" ILIKE '%ProgramData%') AND NOT ("Details" ILIKE '%C:\\Windows\\system32\\%' OR "Details" ILIKE '%C:\\Program Files\\%') START SYSDATE - 1 DAYS

_sourceCategory="windows/sysmon" (EventID=12 OR EventID=13 OR EventID=14) | where TargetObject matches /(?i).*Classes.*\.\w+.*shell.*open.*command.*/ | parse regex field=TargetObject "Classes\\\\(?P<Extension>\.[^\\]+)\\" nodrop | eval IsSuspiciousValue = if (TargetObject matches /(?i).*(powershell|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|AppData|\\Temp\\|ProgramData).*/, 1, 0) | eval IsUserHive = if (TargetObject matches /(?i).*(HKU|HKCU).*/, 1, 0) | eval IsLegitPath = if (Details matches /(?i).*(C:\\Windows\\system32\\|C:\\Program Files\\|C:\\Program Files \(x86\)\\).*/, 1, 0) | where IsSuspiciousValue = 1 OR IsUserHive = 1 | where IsLegitPath = 0 | fields _messageTime, Computer, User, EventID, TargetObject, Details, Extension, IsSuspiciousValue, IsUserHive, Image, CommandLine | sort - _messageTime

rule t1546_001_file_association_hijack {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects modification of file extension shell open command handlers to point to suspicious executables, indicating T1546.001 persistence."
    severity = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1546.001"
    reference = "https://attack.mitre.org/techniques/T1546/001/"
    version = "1.0"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    $e.target.registry.registry_key = /(?i)(software\\classes\\|hkey_classes_root\\)/
    $e.target.registry.registry_key = /(?i)shell\\open\\command/
    (
      $e.target.registry.registry_value_data = /(?i)(powershell|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin)/ or
      $e.target.registry.registry_value_data = /(?i)(appdata|\\temp\\|programdata)/
    )
    not $e.target.registry.registry_value_data = /(?i)(c:\\windows\\system32\\|c:\\program files\\|c:\\program files \(x86\)\\)/

  condition:
    $e
}

#event_simpleName=RegValueSet OR #event_simpleName=RegKeyCreate
| RegistryPath = /(?i)(software\\classes\\|hkey_classes_root\\)/
| RegistryPath = /(?i)shell\\open\\command/
| (RegistryValueData = /(?i)(powershell|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin)/ OR RegistryValueData = /(?i)(appdata|\\temp\\|programdata)/)
| RegistryValueData != /(?i)(c:\\windows\\system32\\|c:\\program files\\|c:\\program files \(x86\)\\)/
| eval Extension = replace(RegistryPath, /.*software\\classes\\(\.\w+)\\.*/i, "$1")
| eval IsSuspicious = case(
    RegistryValueData = /(?i)(powershell|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin)/, "SuspiciousBinary",
    RegistryValueData = /(?i)(appdata|\\temp\\|programdata)/, "SuspiciousPath",
    true(), "Unknown"
  )
| table([@timestamp, ComputerName, UserName, #event_simpleName, RegistryPath, RegistryValueData, Extension, IsSuspicious, ImageFileName, CommandLine])
| sort(field=@timestamp, order=desc)