This analytic rule is designed to detect potential malicious activities associated with changing the default file association for files that do not have a specified extension, specifically to set Notepad.exe as the program that opens these files. It utilizes data captured by Endpoint Detection and Response (EDR) systems and specifically focuses on certain command-line arguments and manipulations in the Windows registry. The importance of monitoring this behavior stems from its use in advanced persistent threat (APT) scenarios and ransomware attacks, notably observed in incidents like those attributed to the Prestige ransomware group. If this rule identifies such activity, it could indicate an attacker attempting to exploit the file opening behavior at the system level, possibly allowing arbitrary code execution if a user unwittingly opens a malicious file. To effectively implement this detection, organizations must ensure their EDR solutions are properly configured to capture the necessary logging details—it is essential to include logs from Windows Event Logs and Sysmon for critical insights into process creations and command-line arguments used.