Image File Execution Options Injection

Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Tactic: Defense Evasion Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon Data Source: Microsoft Defender for Endpoint Data Source: SentinelOne ·

Share on:

The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/17"
 3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a
13different process to be executed. This functionality can be abused by an adversary to establish persistence.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Image File Execution Options Injection"
20references = [
21    "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/",
22]
23risk_score = 47
24rule_id = "6839c821-011d-43bd-bd5b-acff00257226"
25severity = "medium"
26tags = [
27    "Domain: Endpoint",
28    "OS: Windows",
29    "Use Case: Threat Detection",
30    "Tactic: Persistence",
31    "Tactic: Defense Evasion",
32    "Data Source: Elastic Endgame",
33    "Data Source: Elastic Defend",
34    "Data Source: Sysmon",
35    "Data Source: Microsoft Defender for Endpoint",
36    "Data Source: SentinelOne",
37]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42registry where host.os.type == "windows" and event.type == "change" and
43  registry.value : ("Debugger", "MonitorProcess") and length(registry.data.strings) > 0 and
44  registry.path : (
45    "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger",
46    "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
47    "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
48    "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
49    "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger",
50    "\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
51    "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
52    "\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
53    "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger",
54    "MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
55    "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
56    "MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess"
57  ) and
58    /* add FPs here */
59  not registry.data.strings regex~ ("""C:\\Program Files( \(x86\))?\\ThinKiosk\\thinkiosk\.exe""", """.*\\PSAppDeployToolkit\\.*""")
60'''
61
62
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1546"
67name = "Event Triggered Execution"
68reference = "https://attack.mitre.org/techniques/T1546/"
69[[rule.threat.technique.subtechnique]]
70id = "T1546.012"
71name = "Image File Execution Options Injection"
72reference = "https://attack.mitre.org/techniques/T1546/012/"
73
74
75
76[rule.threat.tactic]
77id = "TA0003"
78name = "Persistence"
79reference = "https://attack.mitre.org/tactics/TA0003/"
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82[[rule.threat.technique]]
83id = "T1112"
84name = "Modify Registry"
85reference = "https://attack.mitre.org/techniques/T1112/"
86
87
88[rule.threat.tactic]
89id = "TA0005"
90name = "Defense Evasion"
91reference = "https://attack.mitre.org/tactics/TA0005/"

References

Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe

TL;DR – Found a technique to execute any binary file after another application is closed without being detected by Autoruns.exe. – Requires administrator rights and does not belong in userland. – C…

Read More

Image File Execution Options Injection

Elastic rule (View on GitHub)

References

Persistence using GlobalFlags in Image File Execution Options &#8211; Hidden from&nbsp;Autoruns.exe

Related rules

Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe