title: Image File Execution Options Injection (T1546.012)
id: df00tech-t1546-012
status: experimental
description: "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debugger values. IFEO enables developers to attach debuggers to applications. Registry keys in HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\{binary}.exe can be set with a Debugger value that allows a debugger to be launched automatically when the specified binary is executed. Adversaries abuse this by setting the Debugger value to their malicious payload — whenever the target binary executes, Windows launches the adversary's payload instead (with the target binary name as an argument). This can be used to replace legitimate processes, persist on reboot, or escalate privileges."
references:
  - https://attack.mitre.org/techniques/T1546/012/
  - https://df00tech.com/detections/T1546.012
author: df00tech
date: 2026/04/20
tags:
  - attack.t1546.012
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Developers legitimately attaching debuggers (Visual Studio, WinDbg) to specific applications during development and testing — these should set Debugger to a known debugger path like vsjitdebugger.exe"
  - Just-In-Time (JIT) debugging configured by Visual Studio or Windbg installation which sets a global IFEO Debugger entry for all processes
  - Application error reporting tools that register themselves as debuggers to capture crash dumps
  - Security products that use IFEO to inject their monitoring DLLs or intercept specific process launches
level: high