diff --git a/Data/HKCR File Extentions b/Data/HKCR File Extentions new file mode 100644 index 0000000..1af7e6e --- /dev/null +++ b/Data/HKCR File Extentions @@ -0,0 +1,51 @@ +## (HKEY Classes Root) HKCR File Extentions + + + + +### Location: +`Computer\HKEY_CLASSES_ROOT` +`Computer\HKEY_CURRENT_USER\SOFTWARE\Classes` +`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes` + + +### Classification: + +|Criteria|Value| +|:---|:---| +|Permissions|User; Admin| +|Security context| User; System[^1] | +|Persistence type| Registry | +|Code type|EXE; DLL; Other| +|Launch type|Automatic; Any logon required| +|Impact|Non-Destructive| +|OS Version|All OS versions| +|Dependencies|OS only| +|Toolset|Scriptable| + + +### Description: +the `Computer\HKEY_CLASSES_ROOT` is a combined hive of 'Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes' and 'Computer\HKEY_CURRENT_USER\SOFTWARE\Classes', in HKLM case you need admin rights, in HKCU not. +as you explore different file types you see interesting thing, some start specific application which you can concatenate cmd with /c to start you application plus the legitimate one, or whatever you prefer. +in some cases like jpegtile you see 'Run32dll.exe' which is in LOLBIN project which acts evasive to concatenate you're malicious DLL with it. +as leverage any file extention, youre code may not lunch instantly so be patient. +and as the list continuous, you see vast amount of targets :) +Detection is so simple, just do Endpoint Baselining with Powershell and you're good to go (Configuring SySmon for looking at these hives is a little bit noisy and hard but in case that you wanted to configure that, look for famous ones) +NOTE: some registry keys may differ as you switch from windows 10 to 11 and vice versa, but most of them are the same + + +### References: + + + +### Credits: + + +### See also: + + + +### Remarks: +[^1]: Depends on the key to be available +[^2]: CMD will show for a glance in some cases +[^3]: Execution level depend on the user privilege (in most cases)