From 6ef80dde530b050b82ad1f7db6d61c7842d858d6 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Fri, 18 Sep 2020 09:28:39 -0500
Subject: [PATCH] updated persistence

---
 Persistence.md | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/Persistence.md b/Persistence.md
index 7cf6a14..b288f6d 100644
--- a/Persistence.md
+++ b/Persistence.md
@@ -50,8 +50,20 @@ Detection of unmanaged COR profiler hooking of .NET CLR through registry or proc
 ```
 
 ### T1546.001 Change Default File Association
-Atomics: [T1546.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md)
+Atomics: [1546.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md)
 
+Detection of file association changes. Detection by registry is noisy due to problem filtering on registry root, so install/uninstall apps create noise.
+
+```
+--- File assoc change by registry
+RegistryKeyPath In Contains Anycase ( "\shell\open\command" , "\shell\print\command" , "\shell\printto\command" ) AND EventType In ( "Registry Value Create" , "Registry Value Modified" )
+```
+
+Recommended (for now)
+```
+--- File assoc change by assoc command
+TgtProcCmdLine ContainsCIS "assoc" and TgtProcCmdLine RegExp ".*=.*"
+```
 
 ###  T1574.001 DLL Search Order Hijacking
 Atomics: [T1574.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md)