title: Assoc Default File Change
description: Detection of file association change through assoc command.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
   tactic: Privilege Escalation
   technique: T1546
   subtechnique: 008
operating_system: windows
query: '--- File assoc change by assoc command

  TgtProcCmdLine ContainsCIS "assoc" and TgtProcCmdLine RegExp ".*=.*"'
false_positives: null
tags: null