This anomaly detects the use of the Windows ftype command to modify file type associations. Attackers can abuse ftype to alter how file extensions are handled, potentially causing legitimate files to execute malicious payloads or bypass security controls. The rule searches endpoint telemetry for command-line executions where ftype appears and correlates with process metadata (process name, parent process, command line, path, and integrity level) to attribute risk to a specific user and destination host. Data sources come from EDR telemetry and Windows event logs, mapped to the Endpoint data model (Processes). The detection supports investigation by highlighting the involved user, host, and process lineage, and provides drill-downs for focused review and for risk-oriented views over time. It mitigates persistence/execution/evasion scenarios by flagging unusual file association modifications and correlating with known trustworthy or suspicious parent processes. The rule references MITRE ATT&CK technique T1059.003 (Windows Command Shell) as the likely execution vector. Potential false positives include legitimate administrative or maintenance activities that inspect or adjust file associations using ftype; these should be blocked or filtered as needed. Overall, this rule supports rapid identification and investigation of attempted or successful file association abuse on Windows endpoints.