Josh Rickard
a5dd0813cd
* fix: Updating atomics YAML file structure to align with the new JSON schema definition. This also fixes some white space issues and general line formatting across all impacted atomics. * fix: One additional change needed --------- Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
34 lines
1.1 KiB
YAML
34 lines
1.1 KiB
YAML
attack_technique: T1546.001
|
|
display_name: 'Event Triggered Execution: Change Default File Association'
|
|
atomic_tests:
|
|
- name: Change Default File Association
|
|
auto_generated_guid: 10a08978-2045-4d62-8c42-1957bbbea102
|
|
description: |
|
|
Change Default File Association From cmd.exe of hta to notepad.
|
|
|
|
Upon successful execution, cmd.exe will change the file association of .hta to notepad.exe.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
target_extension_handler:
|
|
description: txtfile maps to notepad.exe
|
|
type: path
|
|
default: txtfile
|
|
extension_to_change:
|
|
description: File Extension To Hijack
|
|
type: string
|
|
default: .hta
|
|
#Adding additional input arguement below for new cleanup command
|
|
original_extension_handler:
|
|
description: File Extension To Revert
|
|
type: string
|
|
default: htafile
|
|
executor:
|
|
command: |
|
|
assoc #{extension_to_change}=#{target_extension_handler}
|
|
cleanup_command: |
|
|
assoc #{extension_to_change}=#{original_extension_handler}
|
|
|
|
name: command_prompt
|
|
elevation_required: true
|