Detection rules › Splunk
Windows Event Triggered Image File Execution Options Injection
The following analytic identifies the creation or modification of Image File Execution Options (IFEO) registry keys, detected via EventCode 3000 in the Application channel. This detection leverages Windows Event Logs to monitor for process names added to IFEO under specific registry paths. This activity is significant as it can indicate attempts to set traps for process monitoring or debugging, often used by attackers for persistence or evasion. If confirmed malicious, this could allow an attacker to execute arbitrary code or manipulate process behavior, leading to potential system compromise.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1546.012 Event Triggered Execution: Image File Execution Options Injection |
| Privilege Escalation | T1546.012 Event Triggered Execution: Image File Execution Options Injection |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| ProcessExitMonitor | 3000 | The process 'param1' exited with exit code param2. |
Stages and Predicates
Stage 1: search
search EventCode=3000
Stage 2: rename
rename
Stage 3: stats
stats BY Process, Exit_Code, dest
Stage 4: search
search
Stage 5: search
search
Stage 6: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|