T1546.012 Image File Execution Options Injection Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "Image File Execution Options"
| where RegistryValueName in~ ("Debugger", "GlobalFlag", "MitigationOptions")
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend TargetBinary = extract(@"Image File Execution Options\\([^\\]+)", 1, RegistryKey)
| extend DebuggerPayload = RegistryValueData
| extend IsHighValueTarget = TargetBinary in~ (
    "sethc.exe", "utilman.exe", "osk.exe", "Magnify.exe", "Narrator.exe",
    "DisplaySwitch.exe", "AtBroker.exe", "taskmgr.exe", "regedit.exe",
    "msconfig.exe", "mmc.exe", "cmd.exe", "powershell.exe"
  )
| extend SuspiciousDebugger = DebuggerPayload has_any (
    "cmd.exe", "powershell", "mshta", "wscript", "cscript",
    "rundll32", "regsvr32", "AppData", "Temp", "ProgramData"
  )
| extend IsSilentExit = RegistryValueName =~ "GlobalFlag" and RegistryValueData == "512"
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey,
         TargetBinary, RegistryValueName, DebuggerPayload,
         IsHighValueTarget, SuspiciousDebugger, IsSilentExit,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

high severity high confidence

Data Sources

Windows Registry: Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents

False Positives

Developers legitimately attaching debuggers (Visual Studio, WinDbg) to specific applications during development and testing — these should set Debugger to a known debugger path like vsjitdebugger.exe
Just-In-Time (JIT) debugging configured by Visual Studio or Windbg installation which sets a global IFEO Debugger entry for all processes
Application error reporting tools that register themselves as debuggers to capture crash dumps
Security products that use IFEO to inject their monitoring DLLs or intercept specific process launches

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval IsIFEO=if(
    (EventCode=12 OR EventCode=13)
    AND match(TargetObject, "Image File Execution Options"),
    1, 0
  )
| where IsIFEO=1
| eval IsDebugger=if(match(TargetObject, "Debugger"), 1, 0)
| eval IsGlobalFlag=if(match(TargetObject, "GlobalFlag") AND Details="512", 1, 0)
| eval TargetBinary=mvindex(split(TargetObject, "\\"), -2)
| eval IsAccessibilityBin=if(
    match(lower(TargetBinary), "(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe"),
    1, 0
  )
| eval IsHighValueBin=if(
    match(lower(TargetBinary), "(taskmgr|regedit|msconfig|cmd|powershell|mmc)\.exe"),
    1, 0
  )
| eval SuspiciousValue=if(
    match(lower(Details), "(cmd\.exe|powershell|mshta|wscript|cscript|rundll32|regsvr32|appdata|\\\\temp\\\\|programdata)"),
    1, 0
  )
| eval DetectionType=case(
    IsAccessibilityBin=1 AND IsDebugger=1, "IFEO_ACCESSIBILITY_BACKDOOR",
    IsHighValueBin=1 AND IsDebugger=1, "IFEO_SYSBIN_HIJACK",
    IsGlobalFlag=1, "IFEO_SILENT_EXIT",
    SuspiciousValue=1 AND IsDebugger=1, "IFEO_SUSPICIOUS_DEBUGGER",
    IsDebugger=1, "IFEO_DEBUGGER_SET",
    1=1, "IFEO_KEY_MODIFIED"
  )
| table _time, host, User, EventCode, DetectionType, TargetBinary, TargetObject, Details, Image, CommandLine
| sort - _time

high severity high confidence

Data Sources

Windows Registry: Registry Key Modification Sysmon Event ID 12 (RegistryEvent - Object Create/Delete) Sysmon Event ID 13 (RegistryEvent - Value Set)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Developers attaching debuggers (Visual Studio vsjitdebugger.exe) during development
JIT debugging configured by Visual Studio installation
Application error reporting tools registering as crash debuggers
Security products using IFEO for monitoring injection

Elastic Security (EQL)

eql

registry where event.type in ("change", "creation") and
  registry.path : "*\\Image File Execution Options\\*" and
  registry.value : ("Debugger", "GlobalFlag", "MitigationOptions") and
  (
    registry.data.strings : ("*cmd.exe*", "*powershell*", "*mshta*", "*wscript*", "*cscript*", "*rundll32*", "*regsvr32*", "*AppData*", "*\\Temp\\*", "*ProgramData*") or
    process.name : ("sethc.exe", "utilman.exe", "osk.exe", "Magnify.exe", "Narrator.exe", "DisplaySwitch.exe", "AtBroker.exe") or
    (registry.value : "GlobalFlag" and registry.data.strings : "512")
  )

high severity high confidence

Data Sources

Windows Registry Events via Elastic Agent (winlogbeat/Sysmon) Microsoft Defender for Endpoint via Elastic integration

Required Tables

logs-endpoint.events.registry-* winlogbeat-*

False Positives

Legitimate software developers attaching debuggers (e.g., Visual Studio, WinDbg) to applications under test — verify registry author and debugger path against known development workstations
Application compatibility shims or crash dump tools (e.g., ProcDump, Dr. Watson) that legitimately set IFEO Debugger values for specific binaries
Security software such as EDR agents or AV engines that set MitigationOptions or GlobalFlag on high-risk processes as a protective measure

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  QIDNAME(qid) AS event_name,
  "TargetObject",
  "Details",
  "Image",
  "CommandLine",
  sourceip,
  CASE
    WHEN LOWER("TargetObject") LIKE '%sethc.exe%' OR LOWER("TargetObject") LIKE '%utilman.exe%'
      OR LOWER("TargetObject") LIKE '%osk.exe%' OR LOWER("TargetObject") LIKE '%magnify.exe%'
      OR LOWER("TargetObject") LIKE '%narrator.exe%' OR LOWER("TargetObject") LIKE '%displayswitch.exe%'
      OR LOWER("TargetObject") LIKE '%atbroker.exe%'
      THEN 'IFEO_ACCESSIBILITY_BACKDOOR'
    WHEN LOWER("TargetObject") LIKE '%taskmgr.exe%' OR LOWER("TargetObject") LIKE '%regedit.exe%'
      OR LOWER("TargetObject") LIKE '%cmd.exe%' OR LOWER("TargetObject") LIKE '%powershell.exe%'
      THEN 'IFEO_SYSBIN_HIJACK'
    WHEN LOWER("TargetObject") LIKE '%globalflag%' AND "Details" = '512'
      THEN 'IFEO_SILENT_EXIT'
    WHEN LOWER("Details") LIKE '%powershell%' OR LOWER("Details") LIKE '%mshta%'
      OR LOWER("Details") LIKE '%wscript%' OR LOWER("Details") LIKE '%rundll32%'
      OR LOWER("Details") LIKE '%appdata%' OR LOWER("Details") LIKE '%temp%'
      THEN 'IFEO_SUSPICIOUS_DEBUGGER'
    ELSE 'IFEO_KEY_MODIFIED'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 115)
  AND (QIDNAME(qid) LIKE '%Registry%' OR QIDNAME(qid) LIKE '%Sysmon%')
  AND ("EventID" = '12' OR "EventID" = '13')
  AND LOWER("TargetObject") LIKE '%image file execution options%'
  AND (
    LOWER("TargetObject") LIKE '%\\debugger'
    OR LOWER("TargetObject") LIKE '%\\globalflag'
    OR LOWER("TargetObject") LIKE '%\\mitigationoptions'
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC

high severity high confidence

Data Sources

Sysmon for Windows (EventID 12, 13 — Registry Create/Modify) Windows Security Event Log via QRadar WinCollect

Required Tables

events

False Positives

Software developers using Visual Studio or WinDbg Just-In-Time debugging, which legitimately writes Debugger values to IFEO keys for crash analysis
Enterprise application compatibility tooling (Microsoft Application Compatibility Toolkit) that sets IFEO keys to redirect or shim legacy executables
Endpoint security products that configure GlobalFlag or MitigationOptions on processes to enforce exploit mitigation policies (e.g., EMET legacy configs, Windows Defender Application Guard)

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| where EventCode in ("12", "13")
| where TargetObject matches "*Image File Execution Options*"
| where TargetObject matches "*Debugger*" OR TargetObject matches "*GlobalFlag*" OR TargetObject matches "*MitigationOptions*"
| parse regex field=TargetObject "Image File Execution Options\\\\(?<TargetBinary>[^\\\\]+)\\\\" nodrop
| eval IsAccessibilityBin = if(
    TargetBinary matches /(?i)(sethc|utilman|osk|magnify|narrator|displayswitch|atbroker)\.exe/,
    1, 0
  )
| eval IsHighValueBin = if(
    TargetBinary matches /(?i)(taskmgr|regedit|msconfig|cmd|powershell|mmc)\.exe/,
    1, 0
  )
| eval IsDebuggerKey = if(TargetObject matches "*Debugger*", 1, 0)
| eval IsGlobalFlag = if(TargetObject matches "*GlobalFlag*" AND Details = "512", 1, 0)
| eval SuspiciousPayload = if(
    Details matches /(?i)(cmd\.exe|powershell|mshta|wscript|cscript|rundll32|regsvr32|appdata|\\temp\\|programdata)/,
    1, 0
  )
| eval DetectionType = if(IsAccessibilityBin = 1 AND IsDebuggerKey = 1, "IFEO_ACCESSIBILITY_BACKDOOR",
    if(IsHighValueBin = 1 AND IsDebuggerKey = 1, "IFEO_SYSBIN_HIJACK",
    if(IsGlobalFlag = 1, "IFEO_SILENT_EXIT",
    if(SuspiciousPayload = 1 AND IsDebuggerKey = 1, "IFEO_SUSPICIOUS_DEBUGGER",
    if(IsDebuggerKey = 1, "IFEO_DEBUGGER_SET", "IFEO_KEY_MODIFIED")))))
| fields _messageTime, Computer, User, EventCode, DetectionType, TargetBinary, TargetObject, Details, Image, CommandLine
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Sysmon operational log (EventCode 12 — Registry Key Create, EventCode 13 — Registry Value Set) Windows Security Event Log

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Crash dump and debugging utilities (ProcDump, Dr. Watson, WER) that register themselves as JIT debuggers via IFEO Debugger values on specific application binaries during incident response
Application performance monitoring agents that set IFEO MitigationOptions to disable DEP or ASLR on legacy applications for compatibility in controlled environments
IT management tooling or software packaging systems (e.g., InstallShield, WiX) that write IFEO keys during installation or uninstallation of software that includes crash reporting modules

Google Chronicle / SecOps

yaral

rule ifeo_injection_detection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Image File Execution Options injection via registry modification of Debugger, GlobalFlag, or MitigationOptions values"
    mitre_attack_technique = "T1546.012"
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-20"

  events:
    $reg.metadata.event_type = "REGISTRY_MODIFICATION"
    $reg.target.registry.registry_key = /(?i)Image File Execution Options\\/
    (
      $reg.target.registry.registry_value_name = /(?i)^(Debugger|GlobalFlag|MitigationOptions)$/
    )
    (
      $reg.target.registry.registry_value_data = /(?i)(cmd\.exe|powershell|mshta|wscript\.exe|cscript\.exe|rundll32|regsvr32|AppData|\\Temp\\|ProgramData)/
      or
      $reg.target.registry.registry_key = /(?i)(sethc\.exe|utilman\.exe|osk\.exe|Magnify\.exe|Narrator\.exe|DisplaySwitch\.exe|AtBroker\.exe|taskmgr\.exe|regedit\.exe|msconfig\.exe|mmc\.exe)/
      or
      (
        $reg.target.registry.registry_value_name = "GlobalFlag"
        and $reg.target.registry.registry_value_data = "512"
      )
    )
    $reg.principal.hostname = $hostname

  condition:
    $reg
}

high severity high confidence

Data Sources

Windows Registry events via Chronicle Windows sensor or Sysmon forwarding Microsoft Defender for Endpoint (MDE) registry telemetry ingested into Chronicle

Required Tables

REGISTRY_MODIFICATION UDM events

False Positives

Legitimate JIT debugger registration by development IDEs (Visual Studio, JetBrains Rider) which write their debugger path to IFEO for applications under active development — validate against developer workstation asset inventory
Windows Defender Application Control or EMET policy enforcement tools writing MitigationOptions values to enforce exploit protection on vulnerable application binaries
Automated software testing frameworks or CI/CD build agents that configure IFEO Debugger values on test binaries to capture crashes in sandboxed environments

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("RegGenericValueUpdate", "AsepValueUpdate", "RegSystemConfigValueUpdate")
| TargetObject = /(?i)Image\s+File\s+Execution\s+Options/
| ValueName = /(?i)^(Debugger|GlobalFlag|MitigationOptions)$/
| IsAccessibilityTarget := TargetObject = /(?i)(sethc\.exe|utilman\.exe|osk\.exe|magnify\.exe|narrator\.exe|displayswitch\.exe|atbroker\.exe)/
| IsHighValueTarget := TargetObject = /(?i)(taskmgr\.exe|regedit\.exe|msconfig\.exe|cmd\.exe|powershell\.exe|mmc\.exe)/
| SuspiciousPayload := RegStringValue = /(?i)(cmd\.exe|powershell|mshta|wscript|cscript|rundll32|regsvr32|AppData|\\Temp\\|ProgramData)/
| IsSilentExit := ValueName = "GlobalFlag" AND RegStringValue = "512"
| DetectionType := if(IsAccessibilityTarget AND ValueName = "Debugger", "IFEO_ACCESSIBILITY_BACKDOOR",
    if(IsHighValueTarget AND ValueName = "Debugger", "IFEO_SYSBIN_HIJACK",
    if(IsSilentExit, "IFEO_SILENT_EXIT",
    if(SuspiciousPayload AND ValueName = "Debugger", "IFEO_SUSPICIOUS_DEBUGGER",
    if(ValueName = "Debugger", "IFEO_DEBUGGER_SET", "IFEO_KEY_MODIFIED")))))
| where IsAccessibilityTarget OR IsHighValueTarget OR SuspiciousPayload OR IsSilentExit
| groupBy([ComputerName, UserName, DetectionType, TargetObject, ValueName, RegStringValue, ContextImageFileName, CommandLine], function=count(as=EventCount))
| sort(EventCount, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon sensor registry telemetry Falcon event stream: RegGenericValueUpdate, AsepValueUpdate, RegSystemConfigValueUpdate

Required Tables

#event_simpleName=RegGenericValueUpdate #event_simpleName=AsepValueUpdate #event_simpleName=RegSystemConfigValueUpdate

False Positives

Developer tooling such as WinDbg, Visual Studio debugger, or x64dbg registering as a JIT debugger via IFEO on development machines — cross-reference ComputerName against developer workstation OU or asset tag
Endpoint Detection and Response (EDR) or vulnerability management agents that write MitigationOptions values to harden specific binaries as part of policy enforcement
Legacy application compatibility fixes applied via Microsoft Application Compatibility Toolkit that redirect obsolete executable names to updated versions via IFEO Debugger values

Image File Execution Options Injection

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Privilege Escalation

Popular Detections