mirror of
https://github.com/keyboardcrunch/sentinelone-queries
synced 2026-06-08 17:07:13 +00:00
keyboardcrunch
20 lines
543 B
YAML
20 lines
543 B
YAML
title: Change Shell Open RegKeys
|
|
description: Detection of file association changes.
|
|
author: keyboardcrunch
|
|
date: 10/10/2020
|
|
modified: 05/12/2020
|
|
mitre:
|
|
tactic: Persistence
|
|
technique: T1546
|
|
subtechnique: 008
|
|
operating_system: windows
|
|
query: '--- File assoc change by registry
|
|
|
|
RegistryKeyPath In Contains Anycase ( "\shell\open\command" , "\shell\print\command"
|
|
, "\shell\printto\command" ) AND EventType In ( "Registry Value Create" , "Registry
|
|
Value Modified" )'
|
|
false_positives:
|
|
- Un/install of some applications
|
|
tags:
|
|
|