T1546.001 CrowdStrike LogScale · LogScale

Detect Change Default File Association in CrowdStrike LogScale

Adversaries may establish persistence by changing the default file association for a file extension. When a file is opened, the default program associated with the file extension is executed. Adversaries can exploit this by modifying the registry key that defines the default handler for a given file extension (e.g., .txt, .js, .hta) to point to a malicious executable, causing their payload to execute whenever a user opens a file with that extension.

MITRE ATT&CK

Tactic
Privilege Escalation Persistence
Technique
T1546 Event Triggered Execution
Sub-technique
T1546.001 Change Default File Association
Canonical reference
https://attack.mitre.org/techniques/T1546/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=RegValueSet OR #event_simpleName=RegKeyCreate
| RegistryPath = /(?i)(software\\classes\\|hkey_classes_root\\)/
| RegistryPath = /(?i)shell\\open\\command/
| (RegistryValueData = /(?i)(powershell|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin)/ OR RegistryValueData = /(?i)(appdata|\\temp\\|programdata)/)
| RegistryValueData != /(?i)(c:\\windows\\system32\\|c:\\program files\\|c:\\program files \(x86\)\\)/
| eval Extension = replace(RegistryPath, /.*software\\classes\\(\.\w+)\\.*/i, "$1")
| eval IsSuspicious = case(
    RegistryValueData = /(?i)(powershell|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin)/, "SuspiciousBinary",
    RegistryValueData = /(?i)(appdata|\\temp\\|programdata)/, "SuspiciousPath",
    true(), "Unknown"
  )
| table([@timestamp, ComputerName, UserName, #event_simpleName, RegistryPath, RegistryValueData, Extension, IsSuspicious, ImageFileName, CommandLine])
| sort(field=@timestamp, order=desc)
high severity high confidence

Detects CrowdStrike Falcon registry set and create events where a file extension shell open command handler references a suspicious executable (powershell, mshta, wscript, etc.) or non-standard path (AppData, Temp, ProgramData), consistent with T1546.001 persistence establishment.

Data Sources

CrowdStrike Falcon EDRCrowdStrike LogScale (Humio)

Required Tables

RegValueSetRegKeyCreate Falcon event types

False Positives & Tuning

  • Script-heavy development environments where developers legitimately associate file types (.ps1, .py, .js) with their respective interpreters stored in user-writable paths for local toolchain workflows.
  • Security testing tools or sandbox agents that intentionally modify file associations as part of behavioral analysis or deception technology.
  • Software update mechanisms that temporarily modify file associations during patching before restoring original handlers, generating transient detections during the update window.
Download portable Sigma rule (.yml)

Other platforms for T1546.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Change .txt File Association to cmd.exe

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject contains HKCU\Software\Classes\.txt\shell\open\command, Details contains 'cmd.exe'. Security Event ID 4657 if object access auditing is enabled. Process creation for reg.exe with the add command.

  2. Test 2Change .js File Association to PowerShell

    Expected signal: Sysmon Event ID 13: TargetObject HKCU\Software\Classes\.js\shell\open\command, Details contains powershell.exe. Process creation for reg.exe.

  3. Test 3Establish Persistence via .hta File Association

    Expected signal: Sysmon Event ID 13: TargetObject HKCU\Software\Classes\.hta\shell\open\command, Details contains mshta.exe. The vbscript: protocol in the handler is a high-fidelity indicator of malicious intent.

Last updated: 2026-04-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1546.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1546Event Triggered Execution

Related Sub-techniques

T1546.002ScreensaverT1546.003Windows Management Instrumentation Event SubscriptionT1546.004Unix Shell Configuration ModificationT1546.005TrapT1546.006LC_LOAD_DYLIB AdditionT1546.007Netsh Helper DLLT1546.008Accessibility FeaturesT1546.009AppCert DLLsT1546.010AppInit DLLsT1546.011Application ShimmingT1546.012Image File Execution Options InjectionT1546.013PowerShell ProfileT1546.014EmondT1546.015Component Object Model HijackingT1546.016Installer PackagesT1546.017Udev RulesT1546.018Python Startup Hooks

Related Techniques

T1546Event Triggered ExecutionT1547.001Registry Run Keys / Startup FolderT1059.001PowerShellT1059.005Visual BasicT1218.005MshtaT1218.011Rundll32T1574.002DLL Side-LoadingT1204.002Malicious File

Same Tactic: Privilege Escalation

Popular Detections