Image File Execution Options (IFEO)

windowsPersistence MechanismsDisk Image

Location

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable>

Description

Registry keys that allow specifying a debugger to attach to any executable at launch. Attackers abuse the Debugger value to redirect accessibility tool execution (sethc.exe, utilman.exe, narrator.exe) to backdoor commands.

Forensic Value

IFEO debugger hijacking is a persistence and privilege escalation technique that replaces the execution of a legitimate binary with an attacker-controlled one. The classic attack sets sethc.exe (Sticky Keys) Debugger to cmd.exe, providing a SYSTEM command prompt at the Windows login screen via five Shift key presses. Checking all IFEO entries with a Debugger value set reveals these backdoors. GlobalFlag modifications can also be used for silent process monitoring.

Tools Required

KAPERegistry Explorer (Eric Zimmerman)RegRipperAutoruns (Sysinternals)

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical