This detection rule aims to identify suspicious changes to Windows file associations by monitoring modifications to relevant registry values. It specifically targets alterations made by processes that are uncommon for typical file association updates, such as programs other than 'Explorer.exe' or 'OpenWith.exe'. The underlying logic employs Splunk's Adaptive Response framework to analyze Sysmon EventID logs, focusing on the Instances of registry changes and associating them with their respective processes. The search aggregates data across processes and registry modifications, filtering out benign updates while highlighting potentially malicious behavior that could signify an attacker's attempt to manipulate file extensions for malicious purposes. Implementation of this rule necessitates integration with Endpoint Detection and Response (EDR) systems, ensuring that logs pertaining to process activities and registry operations are captured and normalized using the Common Information Model (CIM).