← Back to Explore
T1546.012
Image File Execution Options Injection
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010) IFEOs c...
Windows
8
Detections
3
Sources
0
Threat Actors
BY SOURCE
4elastic2sigma2splunk_escu
PROCEDURES (3)
Persist5 detections
Auto-extracted: 5 detections for persist
Registry Monitoring2 detections
Auto-extracted: 2 detections for registry monitoring
Persist1 detections
Auto-extracted: 1 detections for persist
DETECTIONS (8)
Image File Execution Options Injection
elasticmedium
Potential Persistence Via App Paths Default Property
sigmahigh
Potential Persistence Via GlobalFlags
sigmahigh
Registry Keys Used For Privilege Escalation
splunk_escu
Suspicious WerFault Child Process
elasticmedium
Uncommon Registry Persistence Change
elasticmedium
Werfault ReflectDebugger Persistence
elasticlow
Windows Event Triggered Image File Execution Options Injection
splunk_escu