Image File Execution Options Injection

  1[metadata]
  2creation_date = "2020/11/17"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a
 13different process to be executed. This functionality can be abused by an adversary to establish persistence.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Image File Execution Options Injection"
 20references = [
 21    "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/",
 22]
 23risk_score = 47
 24rule_id = "6839c821-011d-43bd-bd5b-acff00257226"
 25severity = "medium"
 26tags = [
 27    "Domain: Endpoint",
 28    "OS: Windows",
 29    "Use Case: Threat Detection",
 30    "Tactic: Persistence",
 31    "Tactic: Defense Evasion",
 32    "Data Source: Elastic Endgame",
 33    "Data Source: Elastic Defend",
 34    "Data Source: Sysmon",
 35    "Data Source: Microsoft Defender for Endpoint",
 36    "Data Source: SentinelOne",
 37    "Resources: Investigation Guide",
 38]
 39timestamp_override = "event.ingested"
 40type = "eql"
 41
 42query = '''
 43registry where host.os.type == "windows" and event.type == "change" and
 44  registry.value : ("Debugger", "MonitorProcess") and length(registry.data.strings) > 0 and
 45  registry.path : (
 46    "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger",
 47    "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
 48    "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
 49    "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
 50    "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger",
 51    "\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
 52    "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
 53    "\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
 54    "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger",
 55    "MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
 56    "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
 57    "MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess"
 58  ) and
 59    /* add FPs here */
 60  not registry.data.strings regex~ ("""C:\\Program Files( \(x86\))?\\ThinKiosk\\thinkiosk\.exe""", """.*\\PSAppDeployToolkit\\.*""")
 61'''
 62note = """## Triage and analysis
 63
 64> **Disclaimer**:
 65> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 66
 67### Investigating Image File Execution Options Injection
 68
 69Image File Execution Options (IFEO) is a Windows feature allowing developers to debug applications by specifying an alternative executable to run. Adversaries exploit this by setting a debugger to execute malicious code instead, achieving persistence or evasion. The detection rule identifies changes to specific registry keys associated with IFEO, flagging potential misuse by monitoring for unexpected executables being set as debuggers.
 70
 71### Possible investigation steps
 72
 73- Review the registry path and value that triggered the alert to identify the specific executable or process being targeted for debugging or monitoring.
 74- Check the registry.data.strings field to determine the unexpected executable set as a debugger or monitor process, and assess its legitimacy.
 75- Investigate the origin and purpose of the executable found in the registry.data.strings by checking its file properties, digital signature, and any associated metadata.
 76- Correlate the alert with recent system or user activity to identify any suspicious behavior or changes that coincide with the registry modification.
 77- Examine the system for additional indicators of compromise, such as unusual network connections, file modifications, or other registry changes, to assess the scope of potential malicious activity.
 78- Consult threat intelligence sources to determine if the identified executable or behavior is associated with known malware or threat actors.
 79
 80### False positive analysis
 81
 82- ThinKiosk and PSAppDeployToolkit are known to trigger false positives due to their legitimate use of the Debugger registry key. Users can mitigate this by adding exceptions for these applications in the detection rule.
 83- Regularly review and update the list of exceptions to include any new legitimate applications that may use the Debugger or MonitorProcess registry keys for valid purposes.
 84- Monitor the environment for any new software installations or updates that might interact with the IFEO registry keys and adjust the rule exceptions accordingly to prevent unnecessary alerts.
 85- Collaborate with IT and security teams to identify any internal tools or scripts that might be using these registry keys for legitimate reasons and ensure they are accounted for in the rule exceptions.
 86
 87### Response and remediation
 88
 89- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
 90- Terminate any suspicious processes identified as being executed through the IFEO mechanism to halt any ongoing malicious activity.
 91- Revert any unauthorized changes to the registry keys associated with Image File Execution Options and SilentProcessExit to their default or intended state.
 92- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware or persistence mechanisms.
 93- Review and restore any altered or deleted system files from a known good backup to ensure system integrity.
 94- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
 95- Implement enhanced monitoring and logging for registry changes related to IFEO to detect and respond to similar threats in the future."""
 96
 97
 98[[rule.threat]]
 99framework = "MITRE ATT&CK"
100[[rule.threat.technique]]
101id = "T1546"
102name = "Event Triggered Execution"
103reference = "https://attack.mitre.org/techniques/T1546/"
104[[rule.threat.technique.subtechnique]]
105id = "T1546.012"
106name = "Image File Execution Options Injection"
107reference = "https://attack.mitre.org/techniques/T1546/012/"
108
109
110
111[rule.threat.tactic]
112id = "TA0003"
113name = "Persistence"
114reference = "https://attack.mitre.org/tactics/TA0003/"
115[[rule.threat]]
116framework = "MITRE ATT&CK"
117[[rule.threat.technique]]
118id = "T1112"
119name = "Modify Registry"
120reference = "https://attack.mitre.org/techniques/T1112/"
121
122
123[rule.threat.tactic]
124id = "TA0005"
125name = "Defense Evasion"
126reference = "https://attack.mitre.org/tactics/TA0005/"