This detection rule identifies changes made to the Windows registry's default file association values, which is a significant indicator of potential malicious activity. Attackers may manipulate these values to execute unauthorized scripts or payloads when a user opens a file. The rule is built on data gathered from the Endpoint data model, specifically focused on registry paths relevant to file association commands. When the registry paths under "HKCR\*\shell\open\command\*" are modified, this rule flags those changes, allowing analysts to investigate further. If these alterations are confirmed as malicious, they may lead to persistent threats that enable attackers to maintain control over a compromised host.