Merge pull request #2283 from Karneades/new-filehandler

rule: add new rule to detect the abuse of the exefile file handler

rules/windows/registry_event/win_registry_file_association_exefile.yml

@@ -0,0 +1,22 @@
+title: New File Association Using Exefile
+id: 44a22d59-b175-4f13-8c16-cbaef5b581ff
+description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products.
+author: Andreas Hunkeler (@Karneades)
+date: 2021/11/19
+status: experimental
+references:
+    - https://twitter.com/mrd0x/status/1461041276514623491
+tags:
+    - attack.defense_evasion
+logsource:
+    category: registry_event
+    product: windows
+detection:
+    selection:
+        TargetObject|contains: 'Classes\.'
+        Details: 'exefile'
+        EventType: SetValue
+    condition: selection
+falsepositives:
+    - Unknown
+level: high