This note documents detection patterns related to IFEO Abuse within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Sysmon | 12 | Registry object create/delete | Critical | Detects creation of IFEO keys. |
| Sysmon | 13 | Registry value set | Critical | Core indicator for Debugger, GlobalFlag, VerifierDlls. |
| Security | 4657 | Registry value modified | High | Native audit if enabled. |
| Sysmon | 1 | Process creation | Critical | Shows hijacked binary launching attacker payload. |
| Security | 4688 | Process creation | Critical | Parent-child context after trigger. |
| Sysmon | 11 | File create | Medium | Payload written before IFEO registration. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
Debugger value added | Executable redirected | Critical | Core abuse primitive. |
| Accessibility binary targeted | sethc.exe, utilman.exe, osk.exe | Critical | Classic persistence. |
| Trusted binary launches unusual child | Hijacked process starts payload | Critical | Strong execution clue. |
| IFEO key on workstation | Rare outside dev/debug environments | High | Strong anomaly. |
| SilentProcessExit pair exists | Advanced persistence chain | High | Often paired with IFEO abuse. |
| GlobalFlag unusual | Loader manipulation | High | Advanced technique clue. |
Common Tools
| Tool | Usage |
|---|---|
| reg.exe | Direct registry modification |
| PowerShell | New-ItemProperty / Set-ItemProperty |
| regedit.exe | Manual registry abuse |
| custom malware | IFEO persistence |
Relevant Artifacts
- Sysmon Event IDs 12, 13, 1, 11
- Security Event IDs 4657, 4688
- Registry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
- Common values:
DebuggerGlobalFlagVerifierDlls
- Prefetch:
REG.EXEPOWERSHELL.EXE
- Amcache / ShimCache
- EDR registry timeline
MITRE ATT&CK References
- T1546.012 Image File Execution Options Injection
- T1112 Modify Registry
Decision Tree
-
Which executable targeted?
- Accessibility binary
- User app
- System utility
-
Which value set?
- Debugger
- GlobalFlag
- VerifierDlls
-
Trigger observed?
- Process launch
- Login screen abuse
- User execution
-
Follow-up activity?
- SYSTEM shell
- Persistence
- Credential access
-
Expand:
- SilentProcessExit
- Adjacent registry persistence
- Payload location
-
Scope:
- Single IFEO key
- Multiple binaries
- Campaign pattern
Example Detection Templates
KQL
Sysmon
| where EventID in (12,13)
| where TargetObject has "Image File Execution Options"
| project TimeGenerated, Computer, User, TargetObject, Details
SecurityEvent
| where EventID == 4688
| where ParentProcessName has_any ("sethc.exe","utilman.exe","osk.exe")
| project TimeGenerated, Computer, ParentProcessName, NewProcessName
EQL
registry where registry.path like "*Image File Execution Options*"
sequence by host.name with maxspan=10m
[ registry where registry.path like "*Image File Execution Options*" ]
[ process where process.parent.name in ("sethc.exe","utilman.exe","osk.exe") ]
Sigma
title: IFEO Abuse Detection
id: 1e8d5a33-ifeo-abuse
status: experimental
description: Detects Image File Execution Options registry abuse
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID:
- 12
- 13
keywords:
TargetObject|contains: 'Image File Execution Options'
condition: selection and keywords
fields:
- TargetObject
- Details
falsepositives:
- Debugging environments
level: high
tags:
- attack.persistence
- attack.t1546.012
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Registry monitoring | Alert on IFEO writes | Critical | Core visibility |
| Baseline IFEO keys | Rare entries reviewed | Critical | Low false positives |
| Protect accessibility binaries | Watch trigger paths | High | Common abuse path |
| Central registry telemetry | Preserve changes | High | Strong forensic value |
| Restrict admin rights | Reduce registry abuse | High | Prevent persistence |