Windows allows specific configuration of various executables via a registry key. Some keys allow defining a debugger to attach to a program as it is run. If this debugger is launched for commonly used programs (e.g. notepad) then another program can be launched at the same time (with the same privileges).
There is an additional key for x86 executables HKEY_LOCAL_MACHINE
SOFTWARE\wow6432node\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options* however this is kept inlign with the x64 key and
therefore does not need to be processed.
Limitations: This queries the live registry and therefore does not parse data in Windows.old or Regback folders, or VSS.
name: Windows.Persistence.Debug
description: |
Windows allows specific configuration of various executables via a
registry key. Some keys allow defining a debugger to attach to a
program as it is run. If this debugger is launched for commonly used
programs (e.g. notepad) then another program can be launched at the
same time (with the same privileges).
There is an additional key for x86 executables HKEY_LOCAL_MACHINE\
SOFTWARE\wow6432node\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\* however this is kept inlign with the x64 key and
therefore does not need to be processed.
Limitations: This queries the live registry and therefore does not
parse data in Windows.old or Regback folders, or VSS.
reference:
- https://attack.mitre.org/techniques/T1183/
parameters:
- name: imageFileExecutionOptions
default: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*
sources:
- query: |
LET X = scope()
SELECT Key.ModTime as KeyLastWriteTimestamp,
Key.OSPath as _Key,
Key.Name AS Program,
X.Debugger AS Debugger
FROM read_reg_key(globs=imageFileExecutionOptions)
WHERE Debugger
Order By KeyLastWriteTimestamp