Detects modification of registry keys used for default file handlers, followed by anomalous process execution from user-initiated file opens. This includes tracking changes under HKCU and HKCR for file extension mappings, and correlating them with new or suspicious handler paths launching unusual child processes (e.g., PowerShell, cmd, wscript).
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13,14 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Logon Session Metadata (DC0088) | WinEventLog:Security | EventCode=4672 |
| Field | Description |
|---|---|
| TimeWindow | Defines how long after the registry modification to correlate a suspicious process execution |
| UserContext | Tune to ignore known admin or installer behavior in specific user profiles |
| SuspiciousHandlerPathRegex | Pattern match for suspicious handler paths (e.g., powershell.exe, rundll32.exe) |