Add Onlooker Default with airSlate SignNow

Add onlooker default

[Music] hi i'm andy and in this video we'll be exploring how to attack detect and defend against the abuse of default file associations right at the start i'm going to acknowledge that this is a very simple technique for achieving persistence on a compromised machine so simple that you might think this can't really be a proper technique but just because it's basic it doesn't mean it's not used by attackers and sometimes a simple hack is all that's required file associations are what links the type of file as designated by the file extension with an application used to open that file a default windows 10 installation will open txt files with notepad rtf files with wordpad and png files with the photo viewer these associations can be viewed and changed by the default program's control panel interface but the configuration itself is stored in the registry under hkey classes root an entry exists to link each file extension with a file handler here the txt key has a default value of txt file a second key of this name contains the specific commands to run for different shell interactions such as opening or printing note the presence of the percent one this gets substituted with the path to the file being opened or in other words when windows runs the associated program it'll include the name of the document as a command line argument it's then up to the program to interpret this accordingly [Music] an attacker can change the default file association for a given file type in order to establish persistence on a machine for example here the file association for txt files is being changed from notepad to the windows calculator attempting to open a text file now launches calc.exe any executable can be selected here the txt file association is being changed to a malicious binary attempting to open a txt file now looks like nothing is happening but is actually launching a reverse shell to an attacker controlled machine a slightly smarter version of this binary might also open up notepad at the same time as the reverse shell so that the user is completely unaware that anything suspicious is happening this technique is an example of event driven execution in this case whenever files of a certain type are opened and as the malicious code receives the file name of the file opened as a command line argument it can change its behavior based on the name of the file for example perhaps an attacker is particularly interested in obtaining documents relating to a certain top secret project so they may write some code that looks a little bit like this the code examines the command line argument to see if a file of interest has been opened and if so transfers it to an external server before opening it in the usual editor under operation it looks like nothing out the ordinary is occurring from the victim's point of view but the attacker is receiving a copy of each secret file [Music] as we saw in the introduction the currently active associations can be viewed via the control panel or via the registry so spotting changes can be achievable if you have a know and good list of associations to compare to although it's a lengthy manual process if you're checking any more than a couple of associations and of course real-life attackers are more likely to camouflage their malicious executables through the use of common file names and icons detecting changes to file associations in real time can be achieved through monitoring the registry either through a third party tool like system internal system or through the built-in windows registry auditing feature setting this up is a two-step process first we need to activate the auditing capability by setting the audit registry option under the object access audit policy second we need to configure what registry keys we're interested in auditing this is performed within the permissions window of the registry editor here i'm setting the set value option to be applied to all users so we receive audit events for any changed values let's give it a test i'll try changing the file association for this item then jump into the event viewer on windows 10 the event id of interest is 4657 under the security log within the details of this event we can see the old and the new values [Music] preventing the abuse of file associations is tricky as the feature is a fundamental part of windows but microsoft have introduced a few measures to provide some protection the observant amongst you may have spotted that during the configuration of auditing settings in the previous section we got a glance at the permissions for this branch of the registry and it's read only by normal users so that means only administrators can change the file associations under hkey classes root so as always don't give out local admin rights unless it's really really needed but this is only one of a few places where file associations can be set and there's a couple of others which are writable by normal users under hkey current user this is intended to allow individuals to customize their own file associations under windows 7 a non-privileged user account can add a couple of entries to pull off this attack one to create a new handler associated to the malicious exe and another to associate the targeted file extension with that new handler note of course that this change only applies to the current user account the same changes can be applied on windows 10. although when we come to check whether they work or not it turns out that they're ineffective we can see why this is by reverting our manual changes and instead following through the configuration of an alternative association via the gui method which microsoft intends for users to use if we examine the registry entries produced afterwards we can see the presence of a hash value this value is calculated from the username and application name and is checked whenever the association is used if it's missing or incorrect windows will ignore the association this is intended to prevent a user's associations being changed in the registry without them realizing it instead a user must follow a very intentional multi-step process but this is not cryptographically secure and it's been subsequently reverse engineered so it is again possible for an attacker to silently change the file associations without a user being aware it just needs a little extra code to do it under windows 10. here i'm using a tool called set user fta written by christoph kolbisk to set an association with the correctly calculated hash value so if we can't prevent associations from being changed effort should instead be focused on damage limitation for example by implementing some of the detection controls from the previous section and then investigating any changes alternatively other generic defense controls such as antivirus have a part to play even if they might not prevent the creation of a malicious association they can still go some way to detecting and preventing malicious code from running regardless of what technique is used to actually execute it that about wraps up this video if you found it useful please do give it a like and consider subscribing if you want more of this sort of content drop a note in the comments if you think there's anything i've missed around attacking detecting and defending against the abuse of default file associations or if you have a good idea of what topic i should cover next i'll see you next time