Malware can achieve persistence without raising red flags by taking advantage of a seemingly harmless feature in Windows called Image File Execution Options, "IFEO". |
This feature, mostly geared towards to Software Developers, allows the debugging of any process by immediately attaching a "debugger" when the requested executable is launched. Malicious actors may use IFEO to redirect the of a legitimate executable to a malicious one, effectively injecting code or executing arbitrary commands during the launch of a program.
EventSentry Benefits |
||
Image File Execution Options The Validation Script "Threat Intel: Persistence - Debugger" can identify insecure Image File Execution Options settings. |
||
|