Skip to content

DET0061 Detect Default File Association Hijack via Registry & Execution Correlation on Windows

Item Value
ID DET0061
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1546.001 (Change Default File Association)

Analytics

Windows

AN0170

Detects modification of registry keys used for default file handlers, followed by anomalous process execution from user-initiated file opens. This includes tracking changes under HKCU and HKCR for file extension mappings, and correlating them with new or suspicious handler paths launching unusual child processes (e.g., PowerShell, cmd, wscript).

Log Sources
Data Component Name Channel
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13, 14
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Logon Session Metadata (DC0088) WinEventLog:Security EventCode=4672
Mutable Elements
Field Description
TimeWindow Defines how long after the registry modification to correlate a suspicious process execution
UserContext Tune to ignore known admin or installer behavior in specific user profiles
SuspiciousHandlerPathRegex Pattern match for suspicious handler paths (e.g., powershell.exe, rundll32.exe)