New

The executive guide to generative AI

Read more

Image File Execution Options Injection

edit

The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: medium

Risk score: 41

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Persistence

Version: 6 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 8.4.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit
registry where length(registry.data.strings) > 0 and registry.path :
("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File
Execution Options\\*.exe\\Debugger",
"HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows
NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
"HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows
NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess") and /*
add FPs here */ not registry.data.strings regex~ ("""C:\\Program
Files( \(x86\))?\\ThinKiosk\\thinkiosk\.exe""",
""".*\\PSAppDeployToolkit\\.*""")

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 6 (8.4.0 release)
  • Formatting only
Version 5 (8.1.0 release)
  • Formatting only
Version 4 (7.14.0 release)
  • Updated query, changed from:

    registry where length(registry.data.strings) > 0 and registry.path :
    ("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File
    Execution Options\\*.exe\\Debugger",
    "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows
    NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger",
    "HKLM\\SOFTWARE\\Microsoft\\Windows
    NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess",
    "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows
    NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess") and /*
    add FPs here */ not registry.data.strings : ("C:\\Program
    Files*\\ThinKiosk\\thinkiosk.exe", "*\\PSAppDeployToolkit\\*")
Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only
Was this helpful?
Feedback