RP2005: Hijack default file extension
Summary
| ID | RP2005 |
|---|---|
| Brief Description | Response playbook for detected persistence by hijacking default file extension. |
| Author | @Cyberok |
| Creation Date | 2023/02/03 |
| Modification Date | 2023/02/03 |
| Tags |
|
| Usecases |
Description
This attack can allow an adversary to evade defenses and better blend in with the environment. One way it occurs when file extension is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.
Defenders may want to monitor registry for file extension command changes, especially if the data field contains binaries located in unusual places.
Workflow
For better triage and response actions result you need to identify and analyze artifacts from use case.
- Look for windows registry modification commands. Search for specific objects in Windows Registry.
Extension handlers are defined at two levels: global, that are defined in the:
…and local – that are defined for a particular user, i.e.:
Their hierarchy of execution goes like this: if no local extension/extension handler is defined, then the global one is executed. Obviously, without Administrator privileges we cannot modify the keys under HKEY_CLASSES_ROOT – but still we can read them. Also, we can modify the keys belonging to the current user.
So, basic activity in this attack – read the extensions handlers defined globally, rewrite them locally and then install the hijack. - Search for malware file which is refered by found hijacked extension on previous step. List proccess executed by malware file or their child proccess. Try to understand "impact" of this malware, what have it done, which resources were accessed.
-
Take any containment action depending on the situation and level of asset's criticality.
For example, if persistence attempt was successful, it may be reasonable to block suspicious proccess (this can be automated action in response rule) :- block process by executable content pattern
-
Take any eradication action depending on the situation and level of asset's criticality.
For example, if you find modificated file extension and there is no need to qurantine host, it's reasonable to delete extra extension keys:- Remove registry key
-
Take recovery action depending on previous containment and eradication actions:
- Recover modification
-
Report incident, remove security breaches, conduct lessons learned exercises.
Response discovery mapping
| ARTIFACT | RESPONSE ACTION | RESPONSE ACTION OBSERVABLES |
|---|---|---|
| Windows Registry | List registry key created List registry key modified Look for arguments in key values like: %1 |
Persistence attempt artifact Examine argument and what it stands for |
| File | Identify means of attack Search for file from registry link |
Identified file to persistence |
P.S. Artifacts from "Attack Prerequisites" section ( in this case : Host ) should be used in Operational Preparations and as incoming arguments for other response actions, for example
Response mindmap diagram
Playbook Actions
Preparation
Identification
List Registry Keys Accessed
List Registry Keys Modified
List Files Modified
List Files Created
List Processes Executed
Find Process By Executable Content Pattern
Identify means of attack
Identify affected systems and users
Containment
Block Process By Executable Content Pattern
Eradication
Remove Registry Key
Remove Windows registry key with Powershell
Recovery
[Unimplemented] Recover modification
Lessons Learned
Develop Incident Report
Conduct Lessons Learned Exercise