Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Change Default File Association

When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access [1] [2] or by administrators using the built-in assoc utility. [3] Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

System file associations are listed under HKEY_CLASSES_ROOT.[extension], for example HKEY_CLASSES_ROOT.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT[handler]\shell[action]\command. For example: HKEY_CLASSES_ROOT\txtfile\shell\open\command HKEY_CLASSES_ROOT\txtfile\shell\print\command* HKEY_CLASSES_ROOT\txtfile\shell\printto\command

The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. [4]

ID: T1042

Tactic: Persistence

Platform:  Windows

Permissions Required:  User, Administrator, SYSTEM

Data Sources:  Windows Registry, Process monitoring, Process command-line parameters

CAPEC ID:  CAPEC-556

Contributors:  Stefan Kanthak, Travis Smith, Tripwire

Version: 1.0

Mitigation

Direct mitigation of this technique is not recommended since it is a legitimate function that can be performed by users for software preferences. Follow Microsoft's best practices for file associations. [5]

Identify and block potentially malicious software that may be executed by this technique using whitelisting [6] tools, like AppLocker, [7] [8] or Software Restriction Policies [9] where appropriate. [10]

Detection

Collect and analyze changes to Registry keys that associate file extensions to default applications for execution and correlate with unknown process launch activity or unusual file types for that process.

User file association preferences are stored under [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts and override associations configured under [HKEY_CLASSES_ROOT]. Changes to a user's preference will occur under this entry's subkeys.

Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques.

References