Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0061: Detect Default File Association Hijack via Registry & Execution Correlation on Windows

This detection strategy matters because default file association changes can turn normal user actions, such as opening a file, into a persistence or privil...

EnterpriseDET0061Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because default file association changes can turn normal user actions, such as opening a file, into a persistence or privilege-escalation trigger on Windows. For leaders, the practical question is whether the organization can prove it would notice suspicious Registry-based file handler changes and correlate them with later process execution, rather than only reviewing endpoint alerts after persistence is already established.

Executive priority

Prioritize this as a Windows resilience and incident-readiness control area tied to persistence risk. Security leaders should ask whether SOC telemetry covers relevant Registry changes, whether endpoint logging can connect those changes to subsequent execution, and whether approved software or administrator activity creates enough noise to require tuning. This is also useful audit evidence for demonstrating monitoring of persistence mechanisms, but the supplied ATT&CK object does not provide a full detection analytic or mitigation procedure.

Technical view

DET0061 is a detection strategy for T1546.001, Change Default File Association, which is associated with persistence and privilege escalation on Windows. The object name indicates the core analytic concept: correlate Registry changes affecting default file associations with execution activity. SOC and detection teams should validate collection and correlation across Windows Registry modification events, process creation events, user/admin context, and timing between association changes and file-open or handler execution behavior. Because the official detection text is not provided, local engineering must define the exact Registry paths, event sources, allowlists, and correlation windows.

Likely telemetry

  • Windows Registry modification telemetry related to file associations or handlers
  • Process creation and command-line telemetry around programs launched after association changes
  • User, administrator, and host context for the account making the Registry change
  • Endpoint security or EDR events that record Registry and execution correlation
  • Change-management or software deployment records to distinguish approved handler changes from suspicious ones

Detection direction

  • Validate that Registry change events and process execution events are both collected from relevant Windows endpoints; either source alone may miss the behavior or lack context.
  • Correlate file association or handler changes with subsequent execution under the changed association, especially where the modifying account, target handler, or timing is unusual for the host.
  • Tune for legitimate administrator actions, software installation, browser or productivity-suite updates, and sanctioned default-app changes to reduce false positives.
  • Review whether telemetry retains enough detail to identify the user, host, modified Registry value, previous versus new handler where available, and the launched executable.
  • Use the relationship to T1546.001 to triage alerts as possible persistence or privilege-escalation activity, not merely configuration drift.

Mitigation priorities

  • Establish baseline and change-control expectations for default file association changes on managed Windows systems.
  • Limit unnecessary Registry modification rights through standard endpoint hardening and least-privilege administration practices.
  • Ensure endpoint monitoring is configured to capture both Registry modification and process execution evidence needed for correlation.
  • Document approved software and administrative workflows that legitimately alter file associations so the SOC can tune detections without suppressing meaningful anomalies.
  • Include this behavior in incident response playbooks for persistence review on affected Windows hosts.
Analyst notes and limits

The supplied ATT&CK detection strategy has no official description or detection text, so this take is derived from the object name and its relationship to T1546.001. The related technique confirms the Windows context and the persistence/privilege-escalation relevance. Detection quality will depend heavily on local Windows logging, EDR visibility, Registry event fidelity, and the ability to correlate configuration changes with later execution.

Platforms and tactics are not specified directly on the detection-strategy object, and no official analytic logic, data components, or mitigations were supplied. This summary should be treated as defensive planning guidance, not as a complete detection rule or confirmation of existing coverage.

Official MITRE ATT&CK definition

Detect Default File Association Hijack via Registry & Execution Correlation on Windows

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1546.001 Change Default File Association Sub-technique This object detects Change Default File Association.
Relationship explorer

All related ATT&CK context

detects · Technique T1546.001: Change Default File Association Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8e4d6be72ac2207a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8e4d6be72ac2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0061
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use