Detect Change Default File Association in IBM QRadar
Adversaries may establish persistence by changing the default file association for a file extension. When a file is opened, the default program associated with the file extension is executed. Adversaries can exploit this by modifying the registry key that defines the default handler for a given file extension (e.g., .txt, .js, .hta) to point to a malicious executable, causing their payload to execute whenever a user opens a file with that extension.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.001 Change Default File Association
- Canonical reference
- https://attack.mitre.org/techniques/T1546/001/
QRadar Detection Query
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time, sourceip, username, QIDNAME(qid) AS event_name, "TargetObject", "Details", "Image" FROM events WHERE LOGSOURCETYPEID = 12 AND ("EventID" = '12' OR "EventID" = '13' OR "EventID" = '14') AND ("TargetObject" ILIKE '%Classes%shell%open%command%' OR "TargetObject" ILIKE '%HKCR%shell%open%command%') AND ("Details" ILIKE '%powershell%' OR "Details" ILIKE '%cmd.exe%' OR "Details" ILIKE '%wscript%' OR "Details" ILIKE '%cscript%' OR "Details" ILIKE '%mshta%' OR "Details" ILIKE '%rundll32%' OR "Details" ILIKE '%regsvr32%' OR "Details" ILIKE '%certutil%' OR "Details" ILIKE '%bitsadmin%' OR "Details" ILIKE '%AppData%' OR "Details" ILIKE '%\\Temp\\%' OR "Details" ILIKE '%ProgramData%') AND NOT ("Details" ILIKE '%C:\\Windows\\system32\\%' OR "Details" ILIKE '%C:\\Program Files\\%') START SYSDATE - 1 DAYSDetects Sysmon registry events (EventID 12/13/14) where a file extension shell open command handler is modified to point to a suspicious executable or non-standard path, consistent with T1546.001 file association hijacking.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise software deployment tools (SCCM, Intune) that modify file associations as part of managed application configuration.
- Developer environments installing language runtimes (Python, Node.js, Ruby) that register script file type handlers pointing to interpreter binaries in non-standard paths.
- Virtualization or sandbox products that intercept file open commands by registering their own handlers.
Other platforms for T1546.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Change .txt File Association to cmd.exe
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject contains HKCU\Software\Classes\.txt\shell\open\command, Details contains 'cmd.exe'. Security Event ID 4657 if object access auditing is enabled. Process creation for reg.exe with the add command.
- Test 2Change .js File Association to PowerShell
Expected signal: Sysmon Event ID 13: TargetObject HKCU\Software\Classes\.js\shell\open\command, Details contains powershell.exe. Process creation for reg.exe.
- Test 3Establish Persistence via .hta File Association
Expected signal: Sysmon Event ID 13: TargetObject HKCU\Software\Classes\.hta\shell\open\command, Details contains mshta.exe. The vbscript: protocol in the handler is a high-fidelity indicator of malicious intent.
References (5)
- https://attack.mitre.org/techniques/T1546/001/
- https://docs.microsoft.com/en-us/windows/win32/shell/fa-intro
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md
- https://pentestlab.blog/2020/01/13/persistence-change-default-file-association/
- https://www.hexacorn.com/blog/2018/03/15/beyond-good-ol-run-key-part-75/
Unlock Pro Content
Get the full detection package for T1546.001 including response playbook, investigation guide, and atomic red team tests.