Image File Execution Options (IFEO)

WindowsPersistence MechanismsDisk Image

Location

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable>

Description

Registry keys that allow specifying a debugger to attach to any executable at launch. Attackers abuse the Debugger value to redirect accessibility tool execution (sethc.exe, utilman.exe, narrator.exe) to backdoor commands.

Forensic Value

IFEO debugger hijacking is a persistence and privilege escalation technique that replaces the execution of a legitimate binary with an attacker-controlled one. The classic attack sets sethc.exe (Sticky Keys) Debugger to cmd.exe, providing a SYSTEM command prompt at the Windows login screen via five Shift key presses. Checking all IFEO entries with a Debugger value set reveals these backdoors. GlobalFlag modifications can also be used for silent process monitoring.

Tools Required

KAPERegistry Explorer (Eric Zimmerman)RegRipperAutoruns (Sysinternals)

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target RegistryHives

reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s /v Debugger

Autoruns

autorunsc.exe -a i -ct -h -s > C:\output\autoruns_ifeo.csv

RegRipper

rip.exe -r C:\output\SOFTWARE -p imagefile

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1546.012T1546

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote