1. Home
  2. Techniques
  3. Enterprise
  4. Event Triggered Execution
  5. Image File Execution Options Injection

Event Triggered Execution: Image File Execution Options Injection

ID Name
T1546.001 Change Default File Association
T1546.002 Screensaver
T1546.003 Windows Management Instrumentation Event Subscription
T1546.004 Unix Shell Configuration Modification
T1546.005 Trap
T1546.006 LC_LOAD_DYLIB Addition
T1546.007 Netsh Helper DLL
T1546.008 Accessibility Features
T1546.009 AppCert DLLs
T1546.010 AppInit DLLs
T1546.011 Application Shimming
T1546.012 Image File Execution Options Injection
T1546.013 PowerShell Profile
T1546.014 Emond
T1546.015 Component Object Model Hijacking
T1546.016 Installer Packages
T1546.017 Udev Rules
T1546.018 Python Startup Hooks

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). [1]

IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. [2] IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached. [1]

IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). [3] [4] Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. [3] [4]

Similar to Accessibility Features, on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with Remote Desktop Protocol will cause the "debugger" program to be executed with SYSTEM privileges. [5]

Similar to Process Injection, these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. [6] Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.

Malware may also use IFEO to Impair Defenses by registering invalid debuggers that redirect and effectively disable various system and security applications. [7] [8]

ID: T1546.012
Sub-technique of:  T1546
Platforms: Windows
Contributors: Oddvar Moe, @oddvarmoe
Version: 1.2
Created: 24 January 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
C0032 C0032

During the C0032 campaign, TEMP.Veles modified and added entries within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options to maintain persistence.[9]
S0461 SDBbot

SDBbot has the ability to use image file execution options for persistence if it detects it is running with admin privileges on a Windows version newer than Windows 7.[10]
S0559 SUNBURST

SUNBURST created an Image File Execution Options (IFEO) Debugger registry value for the process dllhost.exe to trigger the installation of Cobalt Strike.[11]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0422 Detection Strategy for IFEO Injection on Windows AN1186

Registry key modifications under IFEO paths (e.g., Debugger value set under Image File Execution Options), especially for security-related or accessibility binaries, followed by anomalous process execution with debugger flags or SYSTEM-level access at login. Detectable by correlating registry modifications, process creation, and parent-child anomalies with unusual command-line usage or access tokens.

References

  1. Shanbhag, M. (2010, March 24). Image File Execution Options (IFEO). Retrieved December 18, 2017.
  2. Microsoft. (2017, May 23). GFlags Overview. Retrieved December 18, 2017.
  3. Marshall, D. & Griffin, S. (2017, November 28). Monitoring Silent Process Exit. Retrieved June 27, 2018.
  4. Moe, O. (2018, April 10). Persistence using GlobalFlags in Image File Execution Options - Hidden from Autoruns.exe. Retrieved June 27, 2018.
  5. Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. Retrieved November 17, 2024.
  6. Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.
  1. FSecure. (n.d.). Backdoor - W32/Hupigon.EMV - Threat Description. Retrieved December 18, 2017.
  2. Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December 18, 2017.
  3. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  4. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  5. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.