Query Details
Image File Execution Options IFEO Or Silent Process Exit Registry Modification
Query
# *Image File Execution Options (IFEO) or SilentProcessExit Registry Modification*
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1622| Debugger Evasion | https://attack.mitre.org/techniques/T1622 |
| T1546.012 | Image File Execution Options Injection | https://attack.mitre.org/techniques/T1546/012/ |
#### Description
Detects modifications to the Image File Execution Options (IFEO) or SilentProcessExit registry keys, which can be abused for persistence, privilege escalation, or defense evasion. Adversaries may use these mechanisms to attach debuggers or monitor programs to legitimate executables, causing malicious code to run when the target application starts or exits.
thx to Maurice Fielenbach for Sharing this Attack Path on Linkedin
#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**
#### References
- https://www.linkedin.com/posts/mauricefielenbach_cybersecurity-dfir-incidentresponse-activity-7424878161253007360-pYk6/
## Defender XDR
```KQL
let ExludedInitiatingProcessFileNames = ("ExludedProcessFilesName.exe");
DeviceRegistryEvents
| where InitiatingProcessFileName !in (ExludedInitiatingProcessFileNames)
| where RegistryKey has_any (
@"Microsoft\Windows NT\CurrentVersion\Image File Execution Options",
@"Microsoft\Windows NT\CurrentVersion\SilentProcessExit"
)
| where RegistryValueName has_any ("Debugger", "MonitorProcess", "ReportingMode", "GlobalFlag")
| extend TargetProcess = tostring(split(RegistryKey, @"\")[8])
| project TimeGenerated,
DeviceName,
ActionType,
RegistryKey,
RegistryValueName,
RegistryValueData,
TargetProcess,
InitiatingProcessFileName,
InitiatingProcessAccountName
```
Explanation
This query is designed to detect suspicious modifications to specific Windows registry keys that could indicate malicious activity. Here's a simplified explanation:
-
Purpose: The query looks for changes in the Windows registry related to Image File Execution Options (IFEO) and SilentProcessExit. These registry keys can be manipulated by attackers to run malicious code when certain applications start or exit, which can help them maintain persistence, escalate privileges, or evade defenses.
-
Techniques Involved:
- Debugger Evasion (T1622): Attackers might use these registry keys to attach a debugger to a legitimate process, allowing them to manipulate or monitor it.
- Image File Execution Options Injection (T1546.012): This involves injecting malicious code into processes by modifying the IFEO registry settings.
-
Query Details:
- The query excludes certain processes from being flagged by specifying a list of process names to ignore.
- It filters registry events to find those involving the specified registry keys related to IFEO and SilentProcessExit.
- It further narrows down the results by looking for specific registry value names like "Debugger", "MonitorProcess", "ReportingMode", and "GlobalFlag".
- The query extracts the target process name from the registry key path and selects relevant details such as the time of the event, device name, action type, registry key and value details, and information about the initiating process.
-
Output: The query provides a list of registry modification events that match the criteria, helping security analysts identify potential malicious activity related to these registry keys.
This query is useful for detecting attempts to manipulate how applications are executed on a Windows system, which can be a sign of an attack.
Details
Benjamin Zulliger
Released: February 9, 2026
Tables
Keywords
Operators