Image File Execution Options Injection
|Image File Execution Options Injection|
|Tactic||Defense Evasion, Persistence, Privilege Escalation|
|Permissions Required||Administrator, SYSTEM|
|Data Sources||Process Monitoring, Windows Registry, Windows event logs|
Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, any executable file present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., “C:\dbg\ntsd.exe -g notepad.exe”).1
IFEOs can be set directly via the Registry or in Global Flags via the Gflags tool.2 IFEOs are represented as Debugger Values in the Registry under
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options/<executable> and
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable> where
<executable> is the binary on which the debugger is attached.1
Similar to Process Injection, this value can be abused to obtain persistence and privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer.3 Installing IFEO mechanisms may also provide Persistence via continuous invocation.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all IFEO will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly.6 Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.
Monitor for common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as
Monitor the IFEOs Registry value for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx.3
- Shanbhag, M. (2010, March 24). Image File Execution Options (IFEO). Retrieved December 18, 2017.
- Microsoft. (2017, May 23). GFlags Overview. Retrieved December 18, 2017.
- Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.
- FSecure. (n.d.). Backdoor - W32/Hupigon.EMV - Threat Description. Retrieved December 18, 2017.
- Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December 18, 2017.
- Microsoft. (2015, July 30). Part of Windows 10 or really Malware?. Retrieved December 18, 2017.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.