Member-only story

My Favourite Security-focused GPO: Stopping Script Execution with File Associations

Kostas
4 min readNov 4, 2024

Some time ago, I stumbled upon an excellent post by Red Canary[1] that introduced a clever method to prevent users from accidentally executing malicious scripts. They suggested changing file associations so that when users double-click on scripts, they open in Notepad instead of running. While their approach is insightful, I noticed that applying their method domain-wide through Group Policy wasn’t as straightforward as it could be[2].

After searching around and not finding a straightforward guide on implementing this across an entire Active Directory domain, I decided to put together this post. Changing default file associations to block script execution is one of the safest policies you can apply, and it can significantly reduce the risk of users unintentionally running malicious scripts.

If you don’t have medium Premium, you can read this blog here: https://kostas-ts.medium.com/59a05b6d181e?source=friends_link&sk=4e8aed8c955d15c94f0434bda0a5aab7

Why Change File Associations?

Script files like .js, .vbs, and .bat are often exploited by attackers to run malicious scripts. These scripts are typically utilized in the early stages of an intrusion (T1059 — Command and Scripting Interpreter) to download the next phase or activate malware that is already present on the disk. By changing the default behavior of these files to open in Notepad instead of executing, we can:

  • Prevent Accidental Execution: Users won’t unintentionally run potentially harmful scripts.
  • Enhance Security: Adds an extra layer of protection against script-based attacks.
  • Maintain Usability: Users can still view the contents of the scripts without executing them.

Step-by-Step Guide to Applying File Associations with GPO

1. Create the Default File Association XML

First, we’ll create an XML file that defines the new file associations for the script extensions we want to manage.

Example XML File:

<?xml version="1.0" encoding="UTF-8"?>
<DefaultAssociations>
<Association Identifier=".js" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
<Association Identifier=".wsh" ProgId="Applications\notepad.exe"

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Or, continue in mobile web

Already have an account? Sign in

Kostas
Kostas

Written by Kostas

I am a security researcher. My interests lie in #ThreatIntel, #malware, #IR & #Threat_Hunting. I either post here or at http://thedfirreport.com/

No responses yet

Write a response