Event Triggered Execution: Change Default File Association

Other sub-techniques of Event Triggered Execution (16)

ID	Name
T1546.001	Change Default File Association
T1546.002	Screensaver
T1546.003	Windows Management Instrumentation Event Subscription
T1546.004	Unix Shell Configuration Modification
T1546.005	Trap
T1546.006	LC_LOAD_DYLIB Addition
T1546.007	Netsh Helper DLL
T1546.008	Accessibility Features
T1546.009	AppCert DLLs
T1546.010	AppInit DLLs
T1546.011	Application Shimming
T1546.012	Image File Execution Options Injection
T1546.013	PowerShell Profile
T1546.014	Emond
T1546.015	Component Object Model Hijacking
T1546.016	Installer Packages

Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility.^[1]^[2]^[3] Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

System file associations are listed under HKEY_CLASSES_ROOT.[extension], for example HKEY_CLASSES_ROOT.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\[handler]\shell\[action]\command. For example:

HKEY_CLASSES_ROOT\txtfile\shell\open\command
HKEY_CLASSES_ROOT\txtfile\shell\print\command
HKEY_CLASSES_ROOT\txtfile\shell\printto\command

The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands.^[4]

ID: T1546.001

Sub-technique of: T1546

ⓘ

Tactics: Privilege Escalation, Persistence

ⓘ

Platforms: Windows

ⓘ

Permissions Required: Administrator, SYSTEM, User

Contributors: Stefan Kanthak; Travis Smith, Tripwire

Version: 1.0

Created: 24 January 2020

Last Modified: 30 March 2023

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
G0094	Kimsuky	Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.^[5]
S0692	SILENTTRINITY	SILENTTRINITY can conduct an image hijack of an `.msc` file extension as part of its UAC bypass process.^[6]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID	Data Source	Data Component	Detects
DS0017	Command	Command Execution	Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by a file type association.
DS0009	Process	Process Creation	Monitor for newly executed processes that may establish persistence by executing malicious content triggered by a file type association.
DS0024	Windows Registry	Windows Registry Key Modification	Collect and analyze changes to Registry keys that associate file extensions to default applications for execution and correlate with unknown process launch activity or unusual file types for that process. User file association preferences are stored under `[HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts` and override associations configured under `[HKEY_CLASSES_ROOT]`. Changes to a user's preference will occur under this entry's subkeys.

Event Triggered Execution: Change Default File Association

Other sub-techniques of Event Triggered Execution (16)

Procedure Examples

Mitigations

Detection

References