DET0422 Detection Strategy for IFEO Injection on Windows

Item	Value
ID	DET0422
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1546.012 (Image File Execution Options Injection)

Analytics

Windows

AN1186

Registry key modifications under IFEO paths (e.g., Debugger value set under Image File Execution Options), especially for security-related or accessibility binaries, followed by anomalous process execution with debugger flags or SYSTEM-level access at login. Detectable by correlating registry modifications, process creation, and parent-child anomalies with unusual command-line usage or access tokens.

Log Sources

Data Component	Name	Channel
Windows Registry Key Modification (DC0063)	WinEventLog:Security	EventCode=4657
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
Windows Registry Key Creation (DC0056)	WinEventLog:Sysmon	EventCode=12

Mutable Elements

Field	Description
TimeWindow	Time delta for correlating registry modification and debugger-triggered execution
TargetBinary	Specific executables that trigger defenders’ alerts when IFEO values are set
ParentProcessAnomaly	Tunable logic for detecting parent-child anomalies (e.g., non-standard parent processes)
TokenElevationContext	May require tuning based on normal SYSTEM or admin process elevation patterns