Which SIEM platforms have a T1546.012 detection rule?

df00tech provides T1546.012 (Image File Execution Options Injection) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Image File Execution Options Injection (T1546.012)?

Detecting Image File Execution Options Injection requires the following data sources: Windows Registry: Registry Key Modification, Microsoft Defender for Endpoint.

What severity and confidence is the T1546.012 detection?

The T1546.012 detection is rated high severity with high confidence.

What are common false positives for T1546.012?

Common false positives for T1546.012 include: Developers legitimately attaching debuggers (Visual Studio, WinDbg) to specific applications during development and testing — these should set Debugger to a known debugger path like vsjitdebugger.exe; Just-In-Time (JIT) debugging configured by Visual Studio or Windbg installation which sets a global IFEO Debugger entry for all processes; Application error reporting tools that register themselves as debuggers to capture crash dumps.

T1546.012 CrowdStrike LogScale · LogScale

Detect Image File Execution Options Injection in CrowdStrike LogScale

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debugger values. IFEO enables developers to attach debuggers to applications. Registry keys in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{binary}.exe can be set with a Debugger value that allows a debugger to be launched automatically when the specified binary is executed. Adversaries abuse this by setting the Debugger value to their malicious payload — whenever the target binary executes, Windows launches the adversary's payload instead (with the target binary name as an argument). This can be used to replace legitimate processes, persist on reboot, or escalate privileges.

MITRE ATT&CK

Tactic: Privilege Escalation Persistence
Technique: T1546 Event Triggered Execution
Sub-technique: T1546.012 Image File Execution Options Injection
Canonical reference: https://attack.mitre.org/techniques/T1546/012/

LogScale Detection Query

CrowdStrike LogScale (LogScale)

cql

#event_simpleName in ("RegGenericValueUpdate", "AsepValueUpdate", "RegSystemConfigValueUpdate")
| TargetObject = /(?i)Image\s+File\s+Execution\s+Options/
| ValueName = /(?i)^(Debugger|GlobalFlag|MitigationOptions)$/
| IsAccessibilityTarget := TargetObject = /(?i)(sethc\.exe|utilman\.exe|osk\.exe|magnify\.exe|narrator\.exe|displayswitch\.exe|atbroker\.exe)/
| IsHighValueTarget := TargetObject = /(?i)(taskmgr\.exe|regedit\.exe|msconfig\.exe|cmd\.exe|powershell\.exe|mmc\.exe)/
| SuspiciousPayload := RegStringValue = /(?i)(cmd\.exe|powershell|mshta|wscript|cscript|rundll32|regsvr32|AppData|\\Temp\\|ProgramData)/
| IsSilentExit := ValueName = "GlobalFlag" AND RegStringValue = "512"
| DetectionType := if(IsAccessibilityTarget AND ValueName = "Debugger", "IFEO_ACCESSIBILITY_BACKDOOR",
    if(IsHighValueTarget AND ValueName = "Debugger", "IFEO_SYSBIN_HIJACK",
    if(IsSilentExit, "IFEO_SILENT_EXIT",
    if(SuspiciousPayload AND ValueName = "Debugger", "IFEO_SUSPICIOUS_DEBUGGER",
    if(ValueName = "Debugger", "IFEO_DEBUGGER_SET", "IFEO_KEY_MODIFIED")))))
| where IsAccessibilityTarget OR IsHighValueTarget OR SuspiciousPayload OR IsSilentExit
| groupBy([ComputerName, UserName, DetectionType, TargetObject, ValueName, RegStringValue, ContextImageFileName, CommandLine], function=count(as=EventCount))
| sort(EventCount, order=desc)

high severity high confidence

CrowdStrike LogScale detection for IFEO injection using Falcon registry event types (RegGenericValueUpdate, AsepValueUpdate). Filters on IFEO key path and Debugger/GlobalFlag/MitigationOptions value names, then classifies detections by target binary risk tier and payload characteristics.

Data Sources

CrowdStrike Falcon sensor registry telemetryFalcon event stream: RegGenericValueUpdate, AsepValueUpdate, RegSystemConfigValueUpdate

Required Tables

#event_simpleName=RegGenericValueUpdate#event_simpleName=AsepValueUpdate#event_simpleName=RegSystemConfigValueUpdate

False Positives & Tuning

Developer tooling such as WinDbg, Visual Studio debugger, or x64dbg registering as a JIT debugger via IFEO on development machines — cross-reference ComputerName against developer workstation OU or asset tag
Endpoint Detection and Response (EDR) or vulnerability management agents that write MitigationOptions values to harden specific binaries as part of policy enforcement
Legacy application compatibility fixes applied via Microsoft Application Compatibility Toolkit that redirect obsolete executable names to updated versions via IFEO Debugger values

Download portable Sigma rule (.yml)

Other platforms for T1546.012

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1IFEO Debugger Injection on cmd.exe
Expected signal: Sysmon Event ID 13: TargetObject=Image File Execution Options\cmd.exe\Debugger, Details=C:\Windows\System32\notepad.exe. Process creation for reg.exe. If cmd.exe is then launched, notepad.exe starts with cmd.exe as its argument.
Test 2IFEO GlobalFlag for SilentProcessExit
Expected signal: Sysmon Event ID 13 records: GlobalFlag set to 512 in IFEO\notepad.exe, and MonitorProcess set in SilentProcessExit\notepad.exe. The combination of GlobalFlag=512 and MonitorProcess registration is the SilentProcessExit technique.
Test 3Enumerate All IFEO Debugger Registrations
Expected signal: Process creation for reg.exe with query /s flags. Read-only enumeration. Output reveals all IFEO Debugger and GlobalFlag values across all registered binaries.

Last updated: 2026-04-20 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1546.012 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detect Image File Execution Options Injection in CrowdStrike LogScale

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1546.012

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1546.012

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

Get new detections in your inbox