File Extension Hijacking
Location:
HKCU\txtfile\shell\open\command
Classification:
| Criteria | Value |
|---|---|
| Permissions | User |
| Security context | User |
| Persistence type | Registry |
| Code type | EXE |
| Launch type | User initiated |
| Impact | Destructive1 |
| OS Version | All OS versions |
| Dependencies | OS only |
| Toolset | Scriptable |
Description:
Replacing the default application for opening txt files can be used as a persistence mechanism. The stored payload will be triggered when the user opens a txt file.
References:
https://attack.mitre.org/techniques/T1546/001
Credits:
See also:
Remarks:
-
In order to still be able to open txt files with an editor, a corresponding process call must be implemented within the payload. ↩