Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0170: Analytic 0170

Detects modification of registry keys used for default file handlers, followed by anomalous process execution from user-initiated file opens. This includes tracking changes under HKCU and HKCR for file extension mappings, and correlating them with new or suspicious handler paths launching unusual child processes (e.g., PowerShell, cmd, wscript).

EnterpriseAN0170AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because Windows default file handler changes can turn normal user actions—such as opening a document or file type—into unexpected process execution. For leaders, the risk is not the registry change alone; it is whether the organization can notice when a user-facing file association is altered and then used to launch unusual tools such as PowerShell, cmd, or wscript.

Executive priority

Prioritize this as a Windows endpoint visibility and incident-readiness question. Security leaders should ask whether SOC tooling can correlate registry modifications under HKCU and HKCR with later process launches from user-initiated file opens. This supports better evidence for incident response, audit discussions around endpoint monitoring, and control prioritization for user workstations where file-opening behavior is business-critical.

Technical view

For SOC and detection teams, validate coverage for registry changes affecting default file handlers and file extension mappings, then correlate those changes with subsequent process creation from the new or suspicious handler path. Focus on Windows endpoints, especially HKCU and HKCR changes followed by unusual child processes such as PowerShell, cmd, or wscript. Because no ATT&CK detection logic is supplied, teams should treat this as a detection design requirement rather than a ready-to-run rule.

Likely telemetry

  • Windows registry modification events for HKCU and HKCR file extension and handler mappings
  • Process creation telemetry, including parent-child process relationships
  • Command-line and executable path details for launched handler processes
  • User context associated with registry changes and subsequent process execution
  • Endpoint timeline data linking file-open activity, handler path, and child process execution

Detection direction

  • Confirm registry telemetry captures user-scope and class-root file handler changes, not only system-wide changes.
  • Correlate handler modification events with later process execution rather than alerting on every file association change in isolation.
  • Tune for suspicious or unusual child processes launched from file-open workflows, including PowerShell, cmd, and wscript as examples from the ATT&CK description.
  • Account for legitimate software installs, browser or document application updates, and enterprise file-association changes as likely false-positive sources.
  • Review blind spots on unmanaged Windows endpoints, endpoints without command-line logging, or telemetry pipelines that do not preserve registry-to-process timelines.

Mitigation priorities

  • Ensure Windows endpoint logging and EDR policies collect registry modification and process creation details needed for correlation.
  • Baseline approved file association and handler changes for managed workstation builds and common business applications.
  • Restrict or monitor script and shell interpreters where business operations allow, especially when launched from unexpected parent or handler paths.
  • Include this behavior in incident response triage playbooks so analysts review both the registry modification and the resulting process tree.
  • Use findings to inform endpoint hardening, detection engineering priorities, and compliance evidence around monitoring of suspicious endpoint configuration changes.
Analyst notes and limits

The supplied object is a detection analytic for Windows and describes behavior involving default file handler registry modifications followed by anomalous process execution. No tactics, relationships, aliases, or separate official detection logic were supplied, so this take focuses on validation questions and telemetry requirements rather than a specific rule implementation.

This assessment is limited to the supplied ATT&CK analytic fields and external reference. It does not establish active exploitation, attribution, prevalence, impact, or existing customer detection coverage. Local endpoint configuration, logging depth, EDR capabilities, and approved file-association workflows are required to determine practical coverage and alert quality.

Official MITRE ATT&CK definition

Analytic 0170

Detects modification of registry keys used for default file handlers, followed by anomalous process execution from user-initiated file opens. This includes tracking changes under HKCU and HKCR for file extension mappings, and correlating them with new or suspicious handler paths launching unusual child processes (e.g., PowerShell, cmd, wscript).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b2121ef9d02148f7...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b2121ef9d021…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0170
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use