This detection rule identifies attempts to change file association commands for specific file extensions to open with Notepad.exe. It utilizes data from Endpoint Detection and Response (EDR) systems, focusing on command line patterns and registry changes. The behavior of altering file associations is commonly used by malicious actors, notably in ransomware attacks such as the Prestige ransomware, which modifies file extensions to execute Notepad for displaying ransom notes. The rule is built on observables like Windows registry changes, process executions, and command-line arguments related to file associations and Notepad. This approach ensures detection of potentially malicious intent and alerts security teams to investigate further.