From 25b1b355760f07ec71eabca77338981028503f9c Mon Sep 17 00:00:00 2001
From: jorik <47347649+jorik-utwente@users.noreply.github.com>
Date: Tue, 3 Dec 2024 13:22:01 +0100
Subject: [PATCH] merge universal app uri with default file association; add
 better reference

---
 ...ia-default-file-association-registry-key.yml |  9 +++++----
 ...rsist-via-universal-app-uri-registry-key.yml | 17 -----------------
 2 files changed, 5 insertions(+), 21 deletions(-)
 delete mode 100644 nursery/persist-via-universal-app-uri-registry-key.yml

diff --git a/nursery/persist-via-default-file-association-registry-key.yml b/nursery/persist-via-default-file-association-registry-key.yml
index 6a1b25cf..146c23ce 100644
--- a/nursery/persist-via-default-file-association-registry-key.yml
+++ b/nursery/persist-via-default-file-association-registry-key.yml
@@ -10,11 +10,12 @@ rule:
     att&ck:
       - Persistence::Event Triggered Execution::Change Default File Association [T1546.001]
     references:
-      - https://woshub.com/managing-default-file-associations-in-windows-10/
+      - https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/default-file-association
+      - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
   features:
     - and:
       - match: set registry value
       - or:
-        - string: /file\\shell\\open\\command/i
-        - string: /file\\shell\\print\\command/i
-        - string: /file\\shell\\printto\\command/i
+        - string: /\\shell\\open\\command/i
+        - string: /\\shell\\print\\command/i
+        - string: /\\shell\\printto\\command/i
diff --git a/nursery/persist-via-universal-app-uri-registry-key.yml b/nursery/persist-via-universal-app-uri-registry-key.yml
deleted file mode 100644
index 29e2cefc..00000000
--- a/nursery/persist-via-universal-app-uri-registry-key.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-rule:
-  meta:
-    name: persist via Universal App Uri registry key
-    namespace: persistence/registry
-    authors:
-      - j.j.vannielen@utwente.nl
-    scopes:
-      static: function
-      dynamic: call
-    att&ck:
-      - Persistence::Event Triggered Execution [T1546]
-    references:
-      - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
-  features:
-    - and:
-      - match: set registry value
-      - string: /Classes\\App.*\\Shell\\open\\command/i