Member-only story
My Favourite Security-focused GPO: Stopping Script Execution with File Associations
Some time ago, I stumbled upon an excellent post by Red Canary[1] that introduced a clever method to prevent users from accidentally executing malicious scripts. They suggested changing file associations so that when users double-click on scripts, they open in Notepad instead of running. While their approach is insightful, I noticed that applying their method domain-wide through Group Policy wasn’t as straightforward as it could be[2].
After searching around and not finding a straightforward guide on implementing this across an entire Active Directory domain, I decided to put together this post. Changing default file associations to block script execution is one of the safest policies you can apply, and it can significantly reduce the risk of users unintentionally running malicious scripts.
If you don’t have medium Premium, you can read this blog here: https://kostas-ts.medium.com/59a05b6d181e?source=friends_link&sk=4e8aed8c955d15c94f0434bda0a5aab7
Why Change File Associations?
Script files like .js, .vbs, and .bat are often exploited by attackers to run malicious scripts. These scripts are typically utilized in the early stages of an intrusion (T1059 — Command and Scripting Interpreter) to download the next phase or activate malware that is already present on the disk. By changing the default behavior of these files to open in Notepad instead of executing, we can:
- Prevent Accidental Execution: Users won’t unintentionally run potentially harmful scripts.
- Enhance Security: Adds an extra layer of protection against script-based attacks.
- Maintain Usability: Users can still view the contents of the scripts without executing them.
Step-by-Step Guide to Applying File Associations with GPO
1. Create the Default File Association XML
First, we’ll create an XML file that defines the new file associations for the script extensions we want to manage.
Example XML File:
<?xml version="1.0" encoding="UTF-8"?>
<DefaultAssociations>
<Association Identifier=".js" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
<Association Identifier=".wsh" ProgId="Applications\notepad.exe"…
