Name:Windows Event Triggered Image File Execution Options Injection id:f7abfab9-12ea-44e8-8745-475f9ca6e0a4 version:3 date:2024-10-17 author:Michael Haag, Splunk status:production type:Hunting Description:The following analytic identifies the creation or modification of Image File Execution Options (IFEO) registry keys, detected via EventCode 3000 in the Application channel. This detection leverages Windows Event Logs to monitor for process names added to IFEO under specific registry paths. This activity is significant as it can indicate attempts to set traps for process monitoring or debugging, often used by attackers for persistence or evasion. If confirmed malicious, this could allow an attacker to execute arbitrary code or manipulate process behavior, leading to potential system compromise. Data_source:
-Windows Event Log Application 3000
search:`wineventlog_application` EventCode=3000 | rename param1 AS "Process" param2 AS "Exit_Code" | stats count min(_time) as firstTime max(_time) as lastTime by Process Exit_Code dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_triggered_image_file_execution_options_injection_filter`
how_to_implement:This analytic requires capturing the Windows Event Log Application channel in XML. known_false_positives:False positives may be present and tuning will be required before turning into a TTP or notable. References: -https://blog.thinkst.com/2022/09/sensitive-command-token-so-much-offense.html -https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit drilldown_searches:
: tags: analytic_story: - 'Windows Persistence Techniques' asset_type:Endpoint confidence:50 impact:50 message:Windows eventcode 3000 triggered on $dest$ potentially indicating persistence or a monitoring of a process has occurred. mitre_attack_id: - 'T1546.012' observable: name:'dest' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Process' - 'Exit_Code' - 'dest' - 'EventCode' risk_score:25 security_domain:endpoint
