Change Default File Association

Change Default File Association [T1546.001]

Information

Name: Change Default File Association
ID: T1546.001
Tactics: ,
Technique:

Introduction

The MITRE ATT&CK sub-technique "Change Default File Association" (T1546.001) refers to adversaries modifying the default file associations within operating systems. By altering these associations, attackers can execute malicious payloads whenever a user attempts to open specific file types. This sub-technique falls under the broader technique of "Event Triggered Execution," leveraging legitimate system functionalities to achieve persistence, privilege escalation, or initial access.

Deep Dive Into Technique

Adversaries utilize this sub-technique by modifying the default file associations configured within the operating system. File associations determine which application automatically opens when a user interacts with a particular file type. Attackers typically exploit this mechanism through:

Windows Registry Manipulation:
- Default associations in Windows are stored within registry keys, primarily under:
  - HKEY_CLASSES_ROOT
  - HKEY_CURRENT_USER\Software\Classes
  - HKEY_LOCAL_MACHINE\Software\Classes
- Attackers modify registry entries to associate benign file extensions (e.g., .docx, .pdf, .txt) with malicious executables or scripts.
- Common registry values targeted include:
  - (Default) key values defining file handlers.
  - shell\open\command subkeys specifying the executable and parameters used to open files.
macOS and Linux Systems Modification:
- File associations in macOS are governed by Launch Services and can be manipulated through tools such as duti or by directly editing plist files.
- Linux environments manage file associations through desktop entries (.desktop files) located typically in /usr/share/applications or ~/.local/share/applications.
- Attackers may create or alter these desktop entries to redirect file openings to malicious scripts or binaries.
Execution Mechanism:
- When a user double-clicks or opens a file with a modified association, the operating system automatically executes the attacker-defined payload.
- Payloads can include malware, scripts, or commands designed to provide persistence, escalate privileges, or facilitate lateral movement within the compromised system or network.

When this Technique is Usually Used

Attackers commonly employ this sub-technique during various stages of an attack lifecycle, including:

Persistence:
- Ensuring continuous access to compromised systems by triggering malicious payloads each time a user interacts with specific file types.
Privilege Escalation:
- Leveraging file associations to execute payloads with higher privileges, especially if the associated application or handler runs with elevated permissions.
Initial Access and Execution:
- Modifying associations as part of initial compromise or phishing campaigns, causing unsuspecting users to execute malicious payloads inadvertently.
Lateral Movement and Defense Evasion:
- Changing file associations to evade detection by disguising malicious activities under legitimate file-opening behaviors, helping attackers move laterally within a network without raising alarms.

How this Technique is Usually Detected

Detection of "Change Default File Association" activities typically involves monitoring and analyzing specific system behaviors, registry keys, and configuration changes. Effective detection methods include:

Monitoring Registry Changes (Windows):
- Employing endpoint detection and response (EDR) tools to detect unusual modifications to registry keys related to file associations:
  - HKEY_CLASSES_ROOT
  - HKEY_CURRENT_USER\Software\Classes
  - HKEY_LOCAL_MACHINE\Software\Classes
- Alerting on unauthorized or unexpected registry edits, especially those made by uncommon or unsigned processes.
File Integrity Monitoring (FIM):
- Utilizing FIM tools to detect unauthorized changes in desktop entries (.desktop files) on Linux or plist files in macOS systems.
Behavioral Analysis and Endpoint Monitoring:
- Monitoring processes and scripts executed upon file interactions.
- Identifying unusual parent-child process relationships, such as a document file opening an unknown or suspicious executable.
Log Analysis and SIEM Integration:
- Integrating system logs with Security Information and Event Management (SIEM) systems to correlate events and detect anomalies in file-opening behaviors or handler executions.
Indicators of Compromise (IoCs):
- Suspicious registry key values, such as unexpected paths or executable references.
- Unusual .desktop or plist file entries pointing to unknown binaries or scripts.
- Unexpected executable paths stored in file association handlers.

Why it is Important to Detect This Technique

Early detection of changes in default file associations is crucial due to the potentially severe impacts and implications for cybersecurity posture:

Persistence and Long-Term Access:
- Attackers can maintain persistent access by embedding malicious payloads that execute automatically, complicating remediation efforts.
User and System Compromise:
- Users unknowingly trigger malicious payloads, leading to unauthorized data access, data exfiltration, or system compromise.
Privilege Escalation:
- Exploiting file association handlers that run with elevated privileges can allow attackers to escalate privileges, gaining administrative control.
Defense Evasion:
- By disguising malicious executions behind legitimate file-opening actions, attackers evade detection mechanisms, prolonging breach duration.
Operational Disruption and Data Loss:
- Malicious payloads executed through altered file associations can disrupt critical business operations, compromise sensitive data, and cause extensive financial and reputational damage.

Examples

Real-world examples and attack scenarios leveraging "Change Default File Association" include:

APT41 Attack Campaign:
- APT41, a known threat actor, has modified Windows registry keys to associate common file types (e.g., .pdf, .docx) with malicious executables, enabling persistent access and data exfiltration.
FIN7 Group Operations:
- The FIN7 cybercriminal group has been documented altering file associations on targeted Windows systems, redirecting file openings to malware payloads, facilitating lateral movement, and maintaining persistence.
Malware Families Utilizing File Association Modification:
- Certain malware variants, such as TrickBot and Emotet, have employed scripts or malicious binaries to alter default file associations, ensuring persistent infection and recurrent execution.
Linux Desktop Environment Exploits:
- Attackers have been observed creating or modifying .desktop files, associating common file types (e.g., PDF, text files) with malicious scripts or binaries, ensuring malicious payload execution upon user interaction.
macOS Malware Campaigns:
- Malware campaigns like Shlayer have manipulated macOS Launch Services and plist files, redirecting file associations to malicious applications, resulting in unauthorized software installations and data compromise.

In these scenarios, attackers leverage legitimate system functionalities to achieve persistent, stealthy, and effective compromise, underscoring the necessity for robust detection and mitigation strategies against this sub-technique.

Last updated 1 month ago

Introduction

Deep Dive Into Technique

Windows Registry Manipulation:

Default associations in Windows are stored within registry keys, primarily under:
- HKEY_CLASSES_ROOT
- HKEY_CURRENT_USER\Software\Classes
- HKEY_LOCAL_MACHINE\Software\Classes
Attackers modify registry entries to associate benign file extensions (e.g., .docx, .pdf, .txt) with malicious executables or scripts.
Common registry values targeted include:
- (Default) key values defining file handlers.
- shell\open\command subkeys specifying the executable and parameters used to open files.

macOS and Linux Systems Modification:

File associations in macOS are governed by Launch Services and can be manipulated through tools such as duti or by directly editing plist files.
Linux environments manage file associations through desktop entries (.desktop files) located typically in /usr/share/applications or ~/.local/share/applications.
Attackers may create or alter these desktop entries to redirect file openings to malicious scripts or binaries.

Execution Mechanism:

When a user double-clicks or opens a file with a modified association, the operating system automatically executes the attacker-defined payload.
Payloads can include malware, scripts, or commands designed to provide persistence, escalate privileges, or facilitate lateral movement within the compromised system or network.

When this Technique is Usually Used

Attackers commonly employ this sub-technique during various stages of an attack lifecycle, including:

Persistence:

Ensuring continuous access to compromised systems by triggering malicious payloads each time a user interacts with specific file types.

Privilege Escalation:

Leveraging file associations to execute payloads with higher privileges, especially if the associated application or handler runs with elevated permissions.

Initial Access and Execution:

Modifying associations as part of initial compromise or phishing campaigns, causing unsuspecting users to execute malicious payloads inadvertently.

Lateral Movement and Defense Evasion:

Changing file associations to evade detection by disguising malicious activities under legitimate file-opening behaviors, helping attackers move laterally within a network without raising alarms.

How this Technique is Usually Detected

Monitoring Registry Changes (Windows):

Employing endpoint detection and response (EDR) tools to detect unusual modifications to registry keys related to file associations:
- HKEY_CLASSES_ROOT
- HKEY_CURRENT_USER\Software\Classes
- HKEY_LOCAL_MACHINE\Software\Classes
Alerting on unauthorized or unexpected registry edits, especially those made by uncommon or unsigned processes.

File Integrity Monitoring (FIM):

Utilizing FIM tools to detect unauthorized changes in desktop entries (.desktop files) on Linux or plist files in macOS systems.

Behavioral Analysis and Endpoint Monitoring:

Monitoring processes and scripts executed upon file interactions.
Identifying unusual parent-child process relationships, such as a document file opening an unknown or suspicious executable.

Log Analysis and SIEM Integration:

Integrating system logs with Security Information and Event Management (SIEM) systems to correlate events and detect anomalies in file-opening behaviors or handler executions.

Indicators of Compromise (IoCs):

Suspicious registry key values, such as unexpected paths or executable references.
Unusual .desktop or plist file entries pointing to unknown binaries or scripts.
Unexpected executable paths stored in file association handlers.

Why it is Important to Detect This Technique

Early detection of changes in default file associations is crucial due to the potentially severe impacts and implications for cybersecurity posture:

Persistence and Long-Term Access:

Attackers can maintain persistent access by embedding malicious payloads that execute automatically, complicating remediation efforts.

User and System Compromise:

Users unknowingly trigger malicious payloads, leading to unauthorized data access, data exfiltration, or system compromise.

Privilege Escalation:

Exploiting file association handlers that run with elevated privileges can allow attackers to escalate privileges, gaining administrative control.

Defense Evasion:

By disguising malicious executions behind legitimate file-opening actions, attackers evade detection mechanisms, prolonging breach duration.

Operational Disruption and Data Loss:

Malicious payloads executed through altered file associations can disrupt critical business operations, compromise sensitive data, and cause extensive financial and reputational damage.

Examples

Real-world examples and attack scenarios leveraging "Change Default File Association" include:

APT41 Attack Campaign:

APT41, a known threat actor, has modified Windows registry keys to associate common file types (e.g., .pdf, .docx) with malicious executables, enabling persistent access and data exfiltration.

FIN7 Group Operations:

The FIN7 cybercriminal group has been documented altering file associations on targeted Windows systems, redirecting file openings to malware payloads, facilitating lateral movement, and maintaining persistence.

Malware Families Utilizing File Association Modification:

Certain malware variants, such as TrickBot and Emotet, have employed scripts or malicious binaries to alter default file associations, ensuring persistent infection and recurrent execution.

Linux Desktop Environment Exploits:

Attackers have been observed creating or modifying .desktop files, associating common file types (e.g., PDF, text files) with malicious scripts or binaries, ensuring malicious payload execution upon user interaction.

macOS Malware Campaigns:

Malware campaigns like Shlayer have manipulated macOS Launch Services and plist files, redirecting file associations to malicious applications, resulting in unauthorized software installations and data compromise.