MITRE ATT&CK LAB

MITRE ATT&CK

Various tests involving methods outlined within the MITRE ATT&CK framework

MITRE ATT&CK™ Analysis - T1546.001 Change Default File Association

1 minute read

Change Default File Association

Whenever a file is opened in Windows the operating system checks the file association of that file type/extension against a list of known utilities setup to run that program. For example a .doc file may open in MS Word, a .jpeg an image viewer, a .txt notepad and so on. By modifying these association values in the registry, we are able to call an arbitrary program when a file with the given extension is opened.

Change Default File Association Analysis

Lab Example

RED TEAM: ATTACK

In the below example we have gone ahead and created our very own file extension ‘.raiju’. Within this we have set the default command to run as calc.exe whenever a ‘.raiju’ file is opened. We have also placed an enticing file called YummyBurgers.raiju on the desktop which is nothing more than a null byte file.

T1042 - Change Default File Association

By running this blank file we spawn calc.exe on this host which can be an excellent way of maintaining persistence.

BLUE TEAM: DEFEND

This abuses system features so isn’t easily detectable; however, we can see through Sysmon that event type 13 reveals this to us.

T1042 - Change Default File Association

*Clarification - later versions of Sysmon allow us to define a rule name. This has been used as a way of mapping this to the MITRE Technique in our Sysmon configuration.

The end result is that we have a null byte file which essentially acts as a bootstrapper to execute ‘malware’ on this machine.

You may also enjoy