Image File Execution Options Injection
The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/17"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a
11different process to be executed. This functionality can be abused by an adversary to establish persistence.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Image File Execution Options Injection"
18references = [
19 "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/",
20]
21risk_score = 47
22rule_id = "6839c821-011d-43bd-bd5b-acff00257226"
23severity = "medium"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Persistence",
29 "Tactic: Defense Evasion",
30 "Data Source: Elastic Endgame",
31 "Data Source: Elastic Defend",
32 "Data Source: Sysmon",
33]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38registry where host.os.type == "windows" and length(registry.data.strings) > 0 and
39 registry.path : (
40 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger",
41 "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
42 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
43 "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
44 "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger",
45 "\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
46 "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
47 "\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess"
48 ) and
49 /* add FPs here */
50 not registry.data.strings regex~ ("""C:\\Program Files( \(x86\))?\\ThinKiosk\\thinkiosk\.exe""", """.*\\PSAppDeployToolkit\\.*""")
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1546"
58name = "Event Triggered Execution"
59reference = "https://attack.mitre.org/techniques/T1546/"
60[[rule.threat.technique.subtechnique]]
61id = "T1546.012"
62name = "Image File Execution Options Injection"
63reference = "https://attack.mitre.org/techniques/T1546/012/"
64
65
66
67[rule.threat.tactic]
68id = "TA0003"
69name = "Persistence"
70reference = "https://attack.mitre.org/tactics/TA0003/"
71[[rule.threat]]
72framework = "MITRE ATT&CK"
73[[rule.threat.technique]]
74id = "T1112"
75name = "Modify Registry"
76reference = "https://attack.mitre.org/techniques/T1112/"
77
78
79[rule.threat.tactic]
80id = "TA0005"
81name = "Defense Evasion"
82reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
TL;DR – Found a technique to execute any binary file after another application is closed without being detected by Autoruns.exe. – Requires administrator rights and does not belong in userland. – C…
Read More
Related rules
- Installation of Security Support Provider
- Persistence via Hidden Run Key Detected
- Registry Persistence via AppInit DLL
- Suspicious ImagePath Service Creation
- Suspicious Startup Shell Folder Modification