title: Change Default File Association (T1546.001)
id: df00tech-t1546-001
status: experimental
description: "Adversaries may establish persistence by changing the default file association for a file extension. When a file is opened, the default program associated with the file extension is executed. Adversaries can exploit this by modifying the registry key that defines the default handler for a given file extension (e.g., .txt, .js, .hta) to point to a malicious executable, causing their payload to execute whenever a user opens a file with that extension."
references:
  - https://attack.mitre.org/techniques/T1546/001/
  - https://df00tech.com/detections/T1546.001
author: df00tech
date: 2026/04/20
tags:
  - attack.t1546.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software installations that legitimately register file handlers (e.g., installing a new browser changes .html, .htm associations)"
  - "Development tools registering custom file extensions for project files (Visual Studio, JetBrains IDEs)"
  - "PDF readers, media players, and archiving utilities that change handler associations during install or on first run"
  - Group Policy-driven file association changes pushed by IT during software deployments
level: medium