IFEO Injection
What is IFEO Injection?
IFEO InjectionA persistence and privilege-escalation technique that abuses the Windows Image File Execution Options registry key to run attacker code whenever a target executable launches.
IFEO injection (MITRE ATT&CK T1546.012) abuses HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. Originally meant for debugging, this key lets administrators attach a Debugger value to an executable name: whenever Windows launches that program, it instead launches the debugger with the original binary as argument. Attackers register their payload as the debugger of a commonly used executable (sethc.exe, utilman.exe, taskmgr.exe) to gain persistence, or use the GlobalFlag plus SilentProcessExit subkey to spawn code when a target process exits. The technique requires admin rights but is highly effective and often missed. Defenses: monitor IFEO writes with Sysmon event 13, block by AppLocker, and alert on Debugger values pointing to unsigned binaries.
● Examples
- 01
Setting a Debugger value on sethc.exe so pressing Shift five times at the lock screen spawns a SYSTEM shell.
- 02
Configuring SilentProcessExit on lsass.exe to dump credentials when the process exits.
● Frequently asked questions
What is IFEO Injection?
A persistence and privilege-escalation technique that abuses the Windows Image File Execution Options registry key to run attacker code whenever a target executable launches. It belongs to the Attacks & Threats category of cybersecurity.
What does IFEO Injection mean?
A persistence and privilege-escalation technique that abuses the Windows Image File Execution Options registry key to run attacker code whenever a target executable launches.
How does IFEO Injection work?
IFEO injection (MITRE ATT&CK T1546.012) abuses HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. Originally meant for debugging, this key lets administrators attach a Debugger value to an executable name: whenever Windows launches that program, it instead launches the debugger with the original binary as argument. Attackers register their payload as the debugger of a commonly used executable (sethc.exe, utilman.exe, taskmgr.exe) to gain persistence, or use the GlobalFlag plus SilentProcessExit subkey to spawn code when a target process exits. The technique requires admin rights but is highly effective and often missed. Defenses: monitor IFEO writes with Sysmon event 13, block by AppLocker, and alert on Debugger values pointing to unsigned binaries.
How do you defend against IFEO Injection?
Defences for IFEO Injection typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for IFEO Injection?
Common alternative names include: Image File Execution Options abuse, Debugger hijack, SilentProcessExit persistence.
● Related terms
- attacks№ 331
DLL Hijacking
An attack that abuses Windows DLL search order to make a legitimate program load an attacker-controlled library instead of the intended one.
- attacks№ 200
COM Hijacking
A persistence technique that redirects a Windows Component Object Model CLSID lookup to attacker code, executing it whenever a host process instantiates that object.
- attacks№ 914
Registry Run Key Persistence
Classic Windows persistence technique that adds an entry under a Run or RunOnce registry key so a binary or script executes every time a user logs on.
- attacks№ 1246
WMI Event Subscription Persistence
Persistence technique that registers a permanent WMI event filter and consumer so attacker code runs whenever a chosen system event occurs.
- attacks№ 975
Scheduled Task Persistence
Persistence and execution technique in which an attacker creates or modifies a Windows scheduled task to run their payload on a trigger such as logon, boot, or a timer.
- attacks№ 054
AppInit_DLLs
Legacy Windows persistence technique that abuses a registry value so a specified DLL is loaded into every user-mode process linking user32.dll.