Change Default File Association

When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. You can read more about this attacker use of this tactic at https://attack.mitre.org/wiki/Technique/T1042.

Veramine's detection engine detects instances where certain applications modify the default File Association registry keys. Here is an example detection:

The installer for certain legitimate applications may set a default file association. Therefore, this algorithm creates only "Low" severity detections until the point in time when this particular algorithm includes machine learning to increase the fidelity of alerts.