MITRE ATT&CK Technique
Description
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010) IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as <code>Debugger</code> values in the Registry under <code>HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable></code> where <code><executable></code> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010) IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</code>. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014) Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation. Malware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-01-24T15:05:58.384Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may establish persistence and/or elevate '
'privileges by executing malicious content triggered by Image '
'File Execution Options (IFEO) debuggers. IFEOs enable a '
'developer to attach a debugger to an application. When a '
'process is created, a debugger present in an application’s '
'IFEO will be prepended to the application’s name, effectively '
'launching the new process under the debugger (e.g., '
'<code>C:\\dbg\\ntsd.exe -g notepad.exe</code>). (Citation: '
'Microsoft Dev Blog IFEO Mar 2010)\n'
'\n'
'IFEOs can be set directly via the Registry or in Global Flags '
'via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) '
'IFEOs are represented as <code>Debugger</code> values in the '
'Registry under '
'<code>HKLM\\SOFTWARE{\\Wow6432Node}\\Microsoft\\Windows '
'NT\\CurrentVersion\\Image File Execution '
'Options\\<executable></code> where '
'<code><executable></code> is the binary on which the '
'debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar '
'2010)\n'
'\n'
'IFEOs can also enable an arbitrary monitor program to be '
'launched when a specified program silently exits (i.e. is '
'prematurely terminated by itself or a second, non kernel-mode '
'process). (Citation: Microsoft Silent Process Exit NOV 2017) '
'(Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, '
'silent exit monitoring can be enabled through GFlags and/or '
'by directly modifying IFEO and silent process exit Registry '
'values in '
'<code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows '
'NT\\CurrentVersion\\SilentProcessExit\\</code>. (Citation: '
'Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe '
'IFEO APR 2018)\n'
'\n'
'Similar to [Accessibility '
'Features](https://attack.mitre.org/techniques/T1546/008), on '
'Windows Vista and later as well as Windows Server 2008 and '
'later, a Registry key may be modified that configures '
'"cmd.exe," or another program that provides backdoor access, '
'as a "debugger" for an accessibility program (ex: '
'utilman.exe). After the Registry is modified, pressing the '
'appropriate key combination at the login screen while at the '
'keyboard or when connected with [Remote Desktop '
'Protocol](https://attack.mitre.org/techniques/T1021/001) will '
'cause the "debugger" program to be executed with SYSTEM '
'privileges. (Citation: Tilbury 2014)\n'
'\n'
'Similar to [Process '
'Injection](https://attack.mitre.org/techniques/T1055), these '
'values may also be abused to obtain privilege escalation by '
'causing a malicious executable to be loaded and run in the '
'context of separate processes on the computer. (Citation: '
'Elastic Process Injection July 2017) Installing IFEO '
'mechanisms may also provide Persistence via continuous '
'triggered invocation.\n'
'\n'
'Malware may also use IFEO to [Impair '
'Defenses](https://attack.mitre.org/techniques/T1562) by '
'registering invalid debuggers that redirect and effectively '
'disable various system and security applications. (Citation: '
'FSecure Hupigon) (Citation: Symantec Ushedix June 2008)',
'external_references': [{'external_id': 'T1546.012',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1546/012'},
{'description': 'FSecure. (n.d.). Backdoor - '
'W32/Hupigon.EMV - Threat '
'Description. Retrieved December 18, '
'2017.',
'source_name': 'FSecure Hupigon',
'url': 'https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml'},
{'description': 'Hosseini, A. (2017, July 18). Ten '
'Process Injection Techniques: A '
'Technical Survey Of Common And '
'Trending Process Injection '
'Techniques. Retrieved December 7, '
'2017.',
'source_name': 'Elastic Process Injection July 2017',
'url': 'https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process'},
{'description': 'Marshall, D. & Griffin, S. (2017, '
'November 28). Monitoring Silent '
'Process Exit. Retrieved June 27, '
'2018.',
'source_name': 'Microsoft Silent Process Exit NOV '
'2017',
'url': 'https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit'},
{'description': 'Microsoft. (2017, May 23). GFlags '
'Overview. Retrieved December 18, '
'2017.',
'source_name': 'Microsoft GFlags Mar 2017',
'url': 'https://docs.microsoft.com/windows-hardware/drivers/debugger/gflags-overview'},
{'description': 'Moe, O. (2018, April 10). '
'Persistence using GlobalFlags in '
'Image File Execution Options - '
'Hidden from Autoruns.exe. Retrieved '
'June 27, 2018.',
'source_name': 'Oddvar Moe IFEO APR 2018',
'url': 'https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/'},
{'description': 'Shanbhag, M. (2010, March 24). Image '
'File Execution Options (IFEO). '
'Retrieved December 18, 2017.',
'source_name': 'Microsoft Dev Blog IFEO Mar 2010',
'url': 'https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/'},
{'description': 'Symantec. (2008, June 28). '
'Trojan.Ushedix. Retrieved December '
'18, 2017.',
'source_name': 'Symantec Ushedix June 2008',
'url': 'https://www.symantec.com/security_response/writeup.jsp?docid=2008-062807-2501-99&tabid=2'},
{'description': 'Tilbury, C. (2014, August 28). '
'Registry Analysis with '
'CrowdResponse. Retrieved November '
'17, 2024.',
'source_name': 'Tilbury 2014',
'url': 'https://web.archive.org/web/20200730053039/https://www.crowdstrike.com/blog/registry-analysis-with-crowdresponse/'}],
'id': 'attack-pattern--6d4a7fb3-5a24-42be-ae61-6728a2b581f6',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:48:55.526Z',
'name': 'Image File Execution Options Injection',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Oddvar Moe, @oddvarmoe'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.2'}