EXPLORE
Sign In
← Back to Explore
splunk_escuHunting

Windows Event Triggered Image File Execution Options Injection

The following analytic identifies the creation or modification of Image File Execution Options (IFEO) registry keys, detected via EventCode 3000 in the Application channel. This detection leverages Windows Event Logs to monitor for process names added to IFEO under specific registry paths. This activity is significant as it can indicate attempts to set traps for process monitoring or debugging, often used by attackers for persistence or evasion. If confirmed malicious, this could allow an attacker to execute arbitrary code or manipulate process behavior, leading to potential system compromise.

MITRE ATT&CK

T1546.012

Detection Query

`wineventlog_application` EventCode=3000
  | rename param1 AS "Process" param2 AS "Exit_Code"
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY Process Exit_Code dest
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_event_triggered_image_file_execution_options_injection_filter`

Author

Michael Haag, Splunk

Created

2026-02-25

Data Sources

Windows Event Log Application 3000

References

Tags

Windows Persistence Techniques
Raw Content
name: Windows Event Triggered Image File Execution Options Injection
id: f7abfab9-12ea-44e8-8745-475f9ca6e0a4
version: 7
date: '2026-02-25'
author: Michael Haag, Splunk
status: production
type: Hunting
description: The following analytic identifies the creation or modification of Image File Execution Options (IFEO) registry keys, detected via EventCode 3000 in the Application channel. This detection leverages Windows Event Logs to monitor for process names added to IFEO under specific registry paths. This activity is significant as it can indicate attempts to set traps for process monitoring or debugging, often used by attackers for persistence or evasion. If confirmed malicious, this could allow an attacker to execute arbitrary code or manipulate process behavior, leading to potential system compromise.
data_source:
    - Windows Event Log Application 3000
search: |-
    `wineventlog_application` EventCode=3000
      | rename param1 AS "Process" param2 AS "Exit_Code"
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY Process Exit_Code dest
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_event_triggered_image_file_execution_options_injection_filter`
how_to_implement: This analytic requires capturing the Windows Event Log Application channel in XML.
known_false_positives: False positives may be present and tuning will be required before turning into a finding or intermediate finding.
references:
    - https://blog.thinkst.com/2022/09/sensitive-command-token-so-much-offense.html
    - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit
tags:
    analytic_story:
        - Windows Persistence Techniques
    asset_type: Endpoint
    mitre_attack_id:
        - T1546.012
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-application.log
          source: XmlWinEventLog:Application
          sourcetype: XmlWinEventLog