T1546.012: Image File Execution Options Injection
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe).[1]
IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool.[2] IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached.[1]
IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process).[3][4] Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\.[3][4]
Similar to Accessibility Features, on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with Remote Desktop Protocol will cause the "debugger" program to be executed with SYSTEM privileges.[5]
Similar to Process Injection, these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer.[6] Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.
Malware may also use IFEO to impair defenses by registering invalid debuggers that redirect and effectively disable various system and security applications.[7][8]
Analyst context for executives and security teams
Image File Execution Options Injection is a Windows persistence and privilege-escalation behavior where registry-based debugger settings can cause another program to run when a targeted executable starts or exits. For leaders, the practical issue is that a small registry change can turn normal application launches, accessibility tools, or security utilities into triggers for unauthorized code execution or defense impairment.
Executive priority
Prioritize this as a Windows endpoint and server resilience control issue, especially on administrator workstations, jump hosts, RDP-accessible systems, and systems supporting sensitive operations. The business question is whether the organization can prove that IFEO and SilentProcessExit registry locations are baselined, monitored, and reviewed quickly during incidents. ATT&CK relationships show this technique is relevant to persistence, privilege escalation, and has been associated in ATT&CK with campaign/software reporting, so it should be part of IR triage and compliance evidence for endpoint change monitoring.
Technical view
SOC and IR teams should validate coverage for registry changes under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable>, the Wow6432Node equivalent, and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit. Focus on Debugger values, Global Flags/GFlags-driven configuration, silent process exit monitor settings, and cases where accessibility programs, system utilities, or security applications are mapped to unexpected executables. Because the official ATT&CK detection field is not provided, use the related DET0422 detection strategy as relationship context and verify local telemetry rather than assuming coverage.
Likely telemetry
- Windows registry auditing or EDR registry-change events for IFEO and SilentProcessExit paths
- Process creation telemetry showing unexpected debugger-prefixed execution chains
- Command-line telemetry for debugger, GFlags, or monitor-program configuration activity
- RDP or interactive logon context when accessibility binaries are involved
- Events showing security or system applications failing to launch, being redirected, or spawning unexpected child processes
Detection direction
- Baseline legitimate IFEO Debugger and SilentProcessExit entries, then alert on new, modified, or unusual values.
- Prioritize changes targeting accessibility executables, security tools, administrative utilities, and frequently launched applications.
- Correlate registry modification events with the account, host role, parent process, command line, and subsequent process execution.
- Tune for legitimate developer/debugging workflows and approved GFlags use to reduce false positives.
- During incident response, inspect both standard and Wow6432Node registry paths, because 32-bit and 64-bit views can create blind spots.
Mitigation priorities
- Limit administrative write access to the relevant HKLM registry locations and review who can change debugger-related settings.
- Maintain approved baselines for IFEO, Global Flags, and SilentProcessExit values on critical Windows assets.
- Require change control for legitimate debugging configurations, especially on servers and privileged workstations.
- Include these registry locations in endpoint hardening, monitoring, and incident-response collection playbooks.
- Review RDP-accessible and login-screen-accessible systems for unauthorized accessibility-program debugger mappings.
Analyst notes and limits
This take is based on ATT&CK T1546.012 for Windows, its parent technique Event Triggered Execution, and supplied relationships including DET0422 plus campaign/software uses. The campaign and software relationships show ATT&CK-documented relevance, but they do not by themselves prove current exploitation in any environment.
The official ATT&CK detection text for this object is not provided. Local validation is required to determine whether registry auditing, endpoint telemetry, and process command-line logging are enabled and retained. No vendor-specific coverage or guaranteed detection should be inferred from this object alone.
Image File Execution Options Injection
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe).[1]
IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool.[2] IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached.[1]
IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process).[3][4] Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\.[3][4]
Similar to Accessibility Features, on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with Remote Desktop Protocol will cause the "debugger" program to be executed with SYSTEM privileges.[5]
Similar to Process Injection, these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer.[6] Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.
Malware may also use IFEO to impair defenses by registering invalid debuggers that redirect and effectively disable various system and security applications.[7][8]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1183 | Image File Execution Options Injection | Image File Execution Options Injection revoked by this object. |
| Enterprise | T1546 | Event Triggered Execution | This object subtechnique of Event Triggered Execution. |
Groups, software, and campaigns
S0559: SUNBURST
S0461: SDBbot
C0032: C0032
C0032 was an extended campaign suspected to involve the Triton adversaries with related capabilities and techniques focused on gaining a foothold within IT environments. This campaign occurred in 2019 and was distinctly different from the Triton Safety Instrumented System Attack.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 358ce42da837… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Dev Blog IFEO Mar 2010
Shanbhag, M. (2010, March 24). Image File Execution Options (IFEO). Retrieved December 18, 2017.
Open source URL -
[2]
Microsoft GFlags Mar 2017
Microsoft. (2017, May 23). GFlags Overview. Retrieved December 18, 2017.
Open source URL -
[3]
Microsoft Silent Process Exit NOV 2017
Marshall, D. & Griffin, S. (2017, November 28). Monitoring Silent Process Exit. Retrieved June 27, 2018.
Open source URL -
[4]
Oddvar Moe IFEO APR 2018
Moe, O. (2018, April 10). Persistence using GlobalFlags in Image File Execution Options - Hidden from Autoruns.exe. Retrieved June 27, 2018.
Open source URL -
[5]
Tilbury 2014
Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. Retrieved November 17, 2024.
Open source URL -
[6]
Elastic Process Injection July 2017
Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.
Open source URL -
[7]
FSecure Hupigon
FSecure. (n.d.). Backdoor - W32/Hupigon.EMV - Threat Description. Retrieved December 18, 2017.
Open source URL -
[8]
Symantec Ushedix June 2008
Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December 18, 2017.
Open source URL -
[9]
mitre-attack T1546.012Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.