As was promised, we continue our Using MITRE ATT&CK for Forensics series. This time we are going to discuss another persistence mechanism that isn’t so common in-the-wild. It’s Image File Execution Options (or IFEO) injection, persistence technique with ID T1183.
So, what are IFEO? These options enable a developer to attach a debugger to an application. What is more, IFEO can be used to run an arbitrary monitor program when a specified program silently exits. How can it be used by adversaries for gaining persistence? The monitor program can be a malware!
Is this persistence mechanism used in-the-wild? Yes! For example, this techniques was used by TRITON threat actor.
How can forensics analysts find this mechanism? In fact, it’s pretty easy. All you need is to look at the following registry key in the SOFTWARE file:
Let’s focus on subkeys, in our case it’s “iexplore.exe”:
So, our subkey has MonitorProcess value with the following data: C:\Windows\1.exe. It means that whem iexplore.exe (Internet Explorer) is closed, for example, by the user, 1.exe from C:\Windows will be run.
Another interesting thing, this technique was first presented to the public by Oddvar Moe on 10 April 2018, but it’s still isn’t detected by Autoruns:
If you want a specific technique to be examined next from a forensics point of view – ping me on Twitter.