← Library
splApache-2.0from splunk/security_content

Windows Change File Association Command To Notepad

The following analytic detects attempts to change the command value of a file association of an extension to open with Notepad.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns and registry modifications. This activity is significant as it can indicate an attempt to manipulate file handling behavior, a technique observed in APT and ransomware attacks like Prestige. After changing the extension of all encrypted files to a new one, Prestige ransomware modifies the file association for that extension to open with Notepad.exe in order to display a ransom note.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_change_file_association_command_to_notepad.yml
| tstats `security_content_summariesonly`
  count min(_time) as firstTime
  max(_time) as lastTime

from datamodel=Endpoint.Processes where

(
  (`process_reg` AND Processes.process="* add *")
  OR
  (`process_powershell` AND Processes.process IN ("*New-ItemProperty*", "*Set-ItemProperty*", "* sp *"))
)

Processes.process IN ("*HKCR\\*", "*HKEY_CLASSES_ROOT\\*")
Processes.process = "*\\shell\\open\\command*"
Processes.process = "*Notepad.exe*"

```
The exclusion below aims to filter the default notepad association as well as links to the notepad package from the Microsoft Store.
```

NOT Processes.process IN ("*\\Applications\\notepad.exe\\*", "*\\WindowsApps\\Microsoft.WindowsNotepad*")

by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process
   Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
   Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user
   Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_change_file_association_command_to_notepad_filter`