Image File Execution Options Injection
Defense Evasion, Persistence, Privilege Escalation
Execution
Modifying registry to set cmd.exe as notepad.exe debugger, so that when notepad.exe is executed, it will actually start cmd.exe:
attacker@victim
Launching a notepad on the victim system:
Same from the cmd shell:
Observations
Monitoring command line arguments and events modifying registry keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options/<executable>
and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable>
should be helpful in detecting this attack:
References
Last updated