Home Articles Using MITRE ATT&CK for Forensics: Image File Execution Options Injection (T1183)

Using MITRE ATT&CK for Forensics: Image File Execution Options Injection (T1183)


As was promised, we continue our Using MITRE ATT&CK for Forensics series. This time we are going to discuss another persistence mechanism that isn’t so common in-the-wild. It’s Image File Execution Options (or IFEO) injection, persistence technique with ID T1183.

So, what are IFEO? These options enable a developer to attach a debugger to an application. What is more, IFEO can be used to run an arbitrary monitor program when a specified program silently exits. How can it be used by adversaries for gaining persistence? The monitor program can be a malware!

Is this persistence mechanism used in-the-wild? Yes! For example, this techniques was used by TRITON threat actor.

How can forensics analysts find this mechanism? In fact, it’s pretty easy. All you need is to look at the following registry key in the SOFTWARE file:

Microsoft\Windows NT\CurrentVersion\SilentProcessExit

Let’s focus on subkeys, in our case it’s “iexplore.exe”:

iexplore.exe subkey contents as seen in Registry Explorer

So, our subkey has MonitorProcess value with the following data: C:\Windows\1.exe. It means that whem iexplore.exe (Internet Explorer) is closed, for example, by the user, 1.exe from C:\Windows will be run.

Another interesting thing, this technique was first presented to the public by Oddvar Moe on 10 April 2018, but it’s still isn’t detected by Autoruns:

Autorun output – no IFEO injection detected

If you want a specific technique to be examined next from a forensics point of view – ping me on Twitter.

Happy forensicating!

Load More Related Articles
Load More In Articles
Comments are closed.