title: Change Shell Open RegKeys
description: Detection of file association changes. Detection by registry is noisy
  due to problem filtering on registry root, so install/uninstall apps create noise.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
   tactic: Persistence
   technique: T1546
   subtechnique: 008
operating_system: windows
query: '--- File assoc change by registry

  RegistryKeyPath In Contains Anycase ( "\shell\open\command" , "\shell\print\command"
  , "\shell\printto\command" ) AND EventType In ( "Registry Value Create" , "Registry
  Value Modified" )'
false_positives: null
tags: null