Default File Association

Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

System file associations are listed under HKEY_CLASSES_ROOT.[extension], for example HKEY_CLASSES_ROOT.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT[handler]\shell[action]\command. For example: HKEY_CLASSES_ROOT\txtfile\shell\open\command HKEY_CLASSES_ROOT\txtfile\shell\print\command* HKEY_CLASSES_ROOT\txtfile\shell\printto\command

The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands.


On Windows, extensions that are known by the operating system are defined in the registry. For example we have a txt file.

Below we see the one responsible for opening a text file.

Each of these extensions may be connected to some handler, that is also defined in the registry in this case we know .txt are handled by notepad.

In this section the important one we want to know about is the command option:

We can see that notepad runs with parameters one of them being (%1) is the name of the file that was clicked. Thanks to this notepad opens the clicked file.

We can replace the value to point it to our payload and gain a shell. But we also don't want to mess with the proper functionality of the execution so we will create a small batch script which calls our payload and the proper program to open the extension. This should be the final settings for the hijack.

Then we open regular txt file and check our shell connection.

We have to be lucky and the file note have a (" ") space on the name or this will be taking as 2 different files to be opened


Last updated