Image File Execution Options Injection
The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/17"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/08/07"
6
7[rule]
8author = ["Elastic"]
9description = """
10The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a
11different process to be executed. This functionality can be abused by an adversary to establish persistence.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Image File Execution Options Injection"
18references = [
19 "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/",
20]
21risk_score = 47
22rule_id = "6839c821-011d-43bd-bd5b-acff00257226"
23severity = "medium"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Persistence",
29 "Tactic: Defense Evasion",
30 "Data Source: Elastic Endgame",
31 "Data Source: Elastic Defend",
32 "Data Source: Sysmon",
33]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38registry where host.os.type == "windows" and event.type == "change" and
39 registry.value : ("Debugger", "MonitorProcess") and length(registry.data.strings) > 0 and
40 registry.path : (
41 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger",
42 "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
43 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
44 "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
45 "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger",
46 "\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
47 "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
48 "\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess"
49 ) and
50 /* add FPs here */
51 not registry.data.strings regex~ ("""C:\\Program Files( \(x86\))?\\ThinKiosk\\thinkiosk\.exe""", """.*\\PSAppDeployToolkit\\.*""")
52'''
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1546"
59name = "Event Triggered Execution"
60reference = "https://attack.mitre.org/techniques/T1546/"
61[[rule.threat.technique.subtechnique]]
62id = "T1546.012"
63name = "Image File Execution Options Injection"
64reference = "https://attack.mitre.org/techniques/T1546/012/"
65
66
67
68[rule.threat.tactic]
69id = "TA0003"
70name = "Persistence"
71reference = "https://attack.mitre.org/tactics/TA0003/"
72[[rule.threat]]
73framework = "MITRE ATT&CK"
74[[rule.threat.technique]]
75id = "T1112"
76name = "Modify Registry"
77reference = "https://attack.mitre.org/techniques/T1112/"
78
79
80[rule.threat.tactic]
81id = "TA0005"
82name = "Defense Evasion"
83reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Suspicious ImagePath Service Creation
- Unusual Persistence via Services Registry
- Installation of Security Support Provider
- Persistence via Hidden Run Key Detected
- Registry Persistence via AppInit DLL