Image file execution options (IFEO) registry key set

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

ATT&CK Tactic

ATT&CK Technique

Event Triggered Execution: Image File Execution Options Injection (T1546.012)

Severity

Low

Description

Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable.

Attacker's Goals

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options debuggers.

Investigative actions

  • Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
  • Also look at the debugged process and what it is executing to determine if it is malicious.

Variations

Image file execution options (IFEO) registry key set to execute a shell or scripting engine process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Event Triggered Execution: Image File Execution Options Injection (T1546.012)

Severity

High

Description

Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable.

Attacker's Goals

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options debuggers.

Investigative actions

  • Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
  • Also look at the debugged process and what it is executing to determine if it is malicious.


Image file execution options (IFEO) registry key set to activate Windows licenses illegally

Synopsis

ATT&CK Tactic

ATT&CK Technique

Event Triggered Execution: Image File Execution Options Injection (T1546.012)

Severity

Medium

Description

Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable. This is also used by tools that were made to activate Windows licenses illegally.

Attacker's Goals

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options debuggers.

Investigative actions

  • Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
  • Also look at the debugged process and what it is executing to determine if it is malicious.


Image file execution options (IFEO) registry key set using reg.exe

Synopsis

ATT&CK Tactic

ATT&CK Technique

Event Triggered Execution: Image File Execution Options Injection (T1546.012)

Severity

High

Description

Attackers may use the Image File Execution Options Registry key to launch their executable whenever the user attempts to execute a certain executable.

Attacker's Goals

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options debuggers.

Investigative actions

  • Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
  • Also look at the debugged process and what it is executing to determine if it is malicious.