Registry key modifications under IFEO paths (e.g., Debugger value set under Image File Execution Options), especially for security-related or accessibility binaries, followed by anomalous process execution with debugger flags or SYSTEM-level access at login. Detectable by correlating registry modifications, process creation, and parent-child anomalies with unusual command-line usage or access tokens.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Windows Registry Key Creation (DC0056) | WinEventLog:Sysmon | EventCode=12 |
| Field | Description |
|---|---|
| TimeWindow | Time delta for correlating registry modification and debugger-triggered execution |
| TargetBinary | Specific executables that trigger defenders’ alerts when IFEO values are set |
| ParentProcessAnomaly | Tunable logic for detecting parent-child anomalies (e.g., non-standard parent processes) |
| TokenElevationContext | May require tuning based on normal SYSTEM or admin process elevation patterns |