T1546.001: Change Default File Association
Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility.[1][2][3] Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
System file associations are listed under HKEY_CLASSES_ROOT\.[extension], for example HKEY_CLASSES_ROOT\.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\shell\\[action]\command. For example:
* HKEY_CLASSES_ROOT\txtfile\shell\open\command * HKEY_CLASSES_ROOT\txtfile\shell\print\command * HKEY_CLASSES_ROOT\txtfile\shell\printto\command
The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands.[4]
Analyst context for executives and security teams
Changing Windows default file associations can turn a normal user action, such as opening a common file type, into a persistence or privilege-escalation trigger. The business risk is not the file association itself; it is that execution can be hidden behind routine desktop behavior, making recovery and validation harder if registry changes are not monitored.
Executive priority
Treat this as a Windows endpoint persistence concern that depends heavily on registry visibility and incident response readiness. Leaders should ask whether endpoint monitoring can prove when file handlers changed, who or what changed them, and whether subsequent file-open activity launched unexpected commands. This matters for resilience because removing malware without correcting hijacked associations can leave a re-execution path in place. It also supports audit and compliance evidence around change monitoring for critical endpoint configuration.
Technical view
This is a Windows sub-technique of Event Triggered Execution under persistence and privilege escalation. ATT&CK identifies file association selections and handlers in the Windows Registry, including HKEY_CLASSES_ROOT entries for extensions and handler shell action command values. Detection engineering should validate correlation between registry modifications to file extension or handler command keys and later process execution when associated files are opened. The supplied relationship to DET0061 specifically points to registry and execution correlation as the relevant detection strategy. IR teams should include file association and handler review in persistence checks on affected Windows hosts.
Likely telemetry
- Windows Registry change events for file extension and handler keys under HKEY_CLASSES_ROOT
- Process creation telemetry showing commands launched from file-open actions
- Command-line telemetry for use of built-in association management utilities such as assoc where collected
- Endpoint security alerts or EDR events tied to registry modification followed by unusual process execution
- User, process, and administrative context for the account or program making the registry change
Detection direction
- Baseline expected handlers for common and business-critical file extensions, then alert on unauthorized or unusual changes to handler command values.
- Correlate registry changes with subsequent process creation rather than relying only on registry write events, which may be noisy during legitimate application installs or updates.
- Tune for legitimate software installation, default app changes, and administrator-driven configuration activity to reduce false positives.
- Prioritize investigation when a new handler points to an unusual executable path, script interpreter, or command sequence, or when the modifying process is not a known installer or management tool.
- Because ATT&CK provides no official detection text for this object, validate coverage through local telemetry testing and the related DET0061 strategy rather than assuming existing EDR coverage.
Mitigation priorities
- Restrict who can modify system-level file associations and handler command registry locations through least privilege and change control.
- Monitor and review registry changes for default file associations on Windows endpoints, especially servers, admin workstations, and high-risk user systems.
- Include file association integrity checks in incident response eradication and recovery procedures.
- Use application control or endpoint hardening where appropriate to limit unexpected programs from being launched through file handlers.
- Document approved default handlers so security teams can distinguish business-approved configuration changes from suspicious persistence.
Analyst notes and limits
ATT&CK associates this technique with Windows, persistence, and privilege escalation. It is a sub-technique of T1546 Event Triggered Execution and supersedes revoked technique T1042. Relationship data also shows use by Kimsuky and SILENTTRINITY, but this should be treated as historical ATT&CK context, not evidence of current activity in any environment.
The official ATT&CK object does not provide detection guidance, mitigations, or procedure details beyond the supplied relationships and references. Local Windows configuration, endpoint logging depth, EDR behavior, and software deployment practices determine whether this behavior is visible and whether alerts can be made reliable.
Change Default File Association
Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility.[1][2][3] Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
System file associations are listed under HKEY_CLASSES_ROOT\.[extension], for example HKEY_CLASSES_ROOT\.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\shell\\[action]\command. For example:
* HKEY_CLASSES_ROOT\txtfile\shell\open\command * HKEY_CLASSES_ROOT\txtfile\shell\print\command * HKEY_CLASSES_ROOT\txtfile\shell\printto\command
The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands.[4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1042 | Change Default File Association | Change Default File Association revoked by this object. |
| Enterprise | T1546 | Event Triggered Execution | This object subtechnique of Event Triggered Execution. |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
S0692: SILENTTRINITY
SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 21e0e1e3bc13… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Change Default Programs
Microsoft. (n.d.). Change which programs Windows 7 uses by default. Retrieved July 26, 2016.
Open source URL -
[2]
Microsoft File Handlers
Microsoft. (n.d.). Specifying File Handlers for File Name Extensions. Retrieved September 12, 2024.
Open source URL -
[3]
Microsoft Assoc Oct 2017
Plett, C. et al.. (2017, October 15). assoc. Retrieved August 7, 2018.
Open source URL -
[4]
TrendMicro TROJ-FAKEAV OCT 2012
Sioting, S. (2012, October 8). TROJ_FAKEAV.GZD. Retrieved August 8, 2018.
Open source URL -
[5]
mitre-attack T1546.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.