From mitre
https://attack.mitre.org/techniques/T1546/012/
IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached.
...
Mitigations
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Why does someone want to put their debugger in registry (path as shown above) when he/she can execute it directly?
I did test this and did not see any new key in the registry
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ Debugger command that I used for this testing
C:\dbg\ntsd.exe -g notepad.exe .
[link] [comments]
from hacking: security in practice https://ift.tt/3A5FRxL
Comments
Post a Comment