Change the command associated with opening a file, for example when you load a .html file, to execute arbitrary command.

• User Keys stored in HKEY_USERS\S-xxxx_classes[extension]
• There will be a subfolder called Shell with a folder called open and then a key for command
• Replace the command with malicious command
  • You could replace with a .exe that also deploys the original .exe so the victim doesn't notice anything has changed
  • https://github.com/hasherezade/persistence_demos/blob/master/extension_hijack/proxy_app/src/main.cpp

• Global handlers are defined in HKEY_CLASSES_ROOT.[extension]
• HKEY_CLASSES_ROOT[handler]\shell[action]\command
• If there is no local extension then the global one is executed
  • Read extension handlers defined globally
  • Rewrite them locally
  • Hijack

https://hshrzd.wordpress.com/2017/05/25/hijacking-extensions-handlers-as-a-malware-persistence-method/