{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/file-association/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["file-association","persistence","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThe \u003ccode\u003eftype\u003c/code\u003e command is a Windows built-in utility that allows users to query and modify file type associations. While legitimate uses exist, adversaries can abuse this functionality to establish persistence, execute arbitrary code, and evade security controls. By modifying file associations, attackers can redirect the execution of legitimate file types (e.g., .txt, .doc, .exe) to malicious payloads. This can be used to maintain access to a compromised system even after a reboot or to bypass application whitelisting. This activity is often performed post-exploitation after an attacker has gained initial access to a system. Defenders should monitor for unauthorized or unexpected use of the \u003ccode\u003eftype\u003c/code\u003e command to identify potential malicious activity. The original Splunk detection was published in 2026, indicating that the technique has been publicly known and detectable for some time.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through exploitation or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker executes an elevated command prompt or PowerShell session.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eftype\u003c/code\u003e command to query existing file associations to identify a suitable target.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eftype\u003c/code\u003e command to modify the file association of a targeted file extension (e.g., \u0026ldquo;.txt\u0026rdquo;) to point to a malicious executable.\u003c/li\u003e\n\u003cli\u003eA user double-clicks a file with the modified extension (e.g., a .txt file).\u003c/li\u003e\n\u003cli\u003eInstead of opening in a text editor, the associated malicious executable is launched.\u003c/li\u003e\n\u003cli\u003eThe malicious executable performs its intended actions, such as installing malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence and control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code with the privileges of the user who opens the associated file. This can lead to the installation of malware, data theft, and further compromise of the network. The number of victims and sectors targeted depends on the attacker\u0026rsquo;s objectives. If the attack succeeds, it can result in significant data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line details for detection. This can be achieved through Sysmon or Windows Event Logging (Security Event ID 4688) (reference: Sysmon EventID 1, Windows Event Log Security 4688).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect File Association Modification via Ftype\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor for processes executing from unusual locations or with unexpected command-line arguments after a file association modification event.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized executables.\u003c/li\u003e\n\u003cli\u003eReview and audit existing file associations for any suspicious or unexpected configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-ftype-file-association/","summary":"Adversaries can use the `ftype` command to modify Windows file associations, potentially redirecting legitimate file execution to malicious payloads for persistence, execution, and defense evasion.","title":"Windows File Association Modification via Ftype Command","url":"https://feed.craftedsignal.io/briefs/2024-01-03-ftype-file-association/"}],"language":"en","title":"CraftedSignal Threat Feed — File-Association","version":"https://jsonfeed.org/version/1.1"}