Description
Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility.(Citation: Microsoft Change Default Programs)(Citation: Microsoft File Handlers)(Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
System file associations are listed under HKEY_CLASSES_ROOT\.[extension], for example HKEY_CLASSES_ROOT\.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\shell\\[action]\command. For example:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
HKEY_CLASSES_ROOT\txtfile\shell\print\command
* HKEY_CLASSES_ROOT\txtfile\shell\printto\command
The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands.(Citation: TrendMicro TROJ-FAKEAV OCT 2012)
Platforms
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has a HWP document stealer module which changes the default program association in the registry to op... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) can conduct an image hijack of an `.msc` file extension as part of its UAC bypass process.(Ci... |
References
- Microsoft. (n.d.). Change which programs Windows 7 uses by default. Retrieved July 26, 2016.
- Microsoft. (n.d.). Specifying File Handlers for File Name Extensions. Retrieved September 12, 2024.
- Plett, C. et al.. (2017, October 15). assoc. Retrieved August 7, 2018.
- Sioting, S. (2012, October 8). TROJ_FAKEAV.GZD. Retrieved August 8, 2018.
Frequently Asked Questions
What is T1546.001 (Change Default File Association)?
T1546.001 is a MITRE ATT&CK technique named 'Change Default File Association'. It belongs to the Privilege Escalation, Persistence tactic(s). Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file associ...
How can T1546.001 be detected?
Detection of T1546.001 (Change Default File Association) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1546.001?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1546.001?
Known threat groups using T1546.001 include: Kimsuky.