From cbf01aa51eeaae8d1df87ef0d9349be3f1864c17 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 22:46:55 +0300 Subject: [PATCH] Update and rename win_change_default_file_association.yml to process_creation_change_default_file_association.yml --- ...process_creation_change_default_file_association.yml} | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) rename rules/windows/process_creation/{win_change_default_file_association.yml => process_creation_change_default_file_association.yml} (86%) diff --git a/rules/windows/process_creation/win_change_default_file_association.yml b/rules/windows/process_creation/process_creation_change_default_file_association.yml similarity index 86% rename from rules/windows/process_creation/win_change_default_file_association.yml rename to rules/windows/process_creation/process_creation_change_default_file_association.yml index e7cd16d34..315ff7035 100644 --- a/rules/windows/process_creation/win_change_default_file_association.yml +++ b/rules/windows/process_creation/process_creation_change_default_file_association.yml @@ -2,16 +2,19 @@ title: Change Default File Association status: experimental description: When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 references: - - https://attack.mitre.org/techniques/T1042/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml logsource: category: process_creation product: windows detection: selection: - CommandLine: - - '*cmd.exe*/c*assoc*' + CommandLine|contains|all: + - 'cmd' + - '/c' + - 'assoc' condition: selection falsepositives: - Admin activity