
Summary
The rule 'Potential Attachment Manager Settings Associations Tamper' detects potential tampering with the Windows Attachment Manager settings that are used to manage security policies for various file types. The Attachment Manager is a feature in Windows that helps to identify potentially unsafe files and control how they are handled by applications. This rule monitors the Windows Registry for changes in specific subkeys that manage these policies, especially targeting associations that could lead to low file type risk configurations. When certain registry keys are altered, particularly those that could reduce the default security posture by allowing execution of files that should typically be flagged as high-risk, the detection rule triggers an alert. The primary focus is on the keys related to DefaultFileTypeRisk and LowRiskFileTypes, ensuring that malicious actors cannot lower the default security settings without detection. The detection utilizes a specific registry path to identify changes and is designed to filter for changes that might reflect an attempt to exploit Windows' file handling mechanisms.
Categories
- Windows
- Endpoint
- Infrastructure
Data Sources
- Windows Registry
Created: 2022-08-01