Query Details

Image File Execution Options IFEO Or Silent Process Exit Registry Modification

Query

let ExludedInitiatingProcessFileNames = ("ExludedProcessFilesName.exe");
DeviceRegistryEvents
| where InitiatingProcessFileName !in (ExludedInitiatingProcessFileNames)
| where RegistryKey has_any (
    @"Microsoft\Windows NT\CurrentVersion\Image File Execution Options", 
    @"Microsoft\Windows NT\CurrentVersion\SilentProcessExit"
)
| where RegistryValueName has_any ("Debugger", "MonitorProcess", "ReportingMode", "GlobalFlag")
| extend TargetProcess = tostring(split(RegistryKey, @"\")[8])

About this query

Image File Execution Options (IFEO) or SilentProcessExit Registry Modification

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1622Debugger Evasionhttps://attack.mitre.org/techniques/T1622
T1546.012Image File Execution Options Injectionhttps://attack.mitre.org/techniques/T1546/012/

Description

Detects modifications to the Image File Execution Options (IFEO) or SilentProcessExit registry keys, which can be abused for persistence, privilege escalation, or defense evasion. Adversaries may use these mechanisms to attach debuggers or monitor programs to legitimate executables, causing malicious code to run when the target application starts or exits.

thx to Maurice Fielenbach for Sharing this Attack Path on Linkedin

Author <Optional>

References

Defender XDR

Explanation

This query is designed to detect suspicious changes to specific Windows registry keys related to Image File Execution Options (IFEO) and SilentProcessExit. These registry keys can be manipulated by attackers to run malicious code when certain applications start or exit, which can be used for persistence, privilege escalation, or evading defenses.

Here's a simple breakdown of what the query does:

  1. Exclusion of Specific Processes: It starts by defining a list of process file names that should be excluded from the analysis. In this case, it excludes any events initiated by "ExludedProcessFilesName.exe".

  2. Filtering Registry Events: The query looks at events where changes are made to registry keys related to IFEO and SilentProcessExit. These keys are located under:

    • Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Microsoft\Windows NT\CurrentVersion\SilentProcessExit
  3. Specific Value Names: It further filters these events to only include changes where the registry value names are "Debugger", "MonitorProcess", "ReportingMode", or "GlobalFlag". These values are often used to attach debuggers or monitor programs to executables.

  4. Extracting Target Process: Finally, the query extracts the name of the target process from the registry key path, which indicates which application is being affected by the registry modification.

Overall, this query helps identify potential malicious activity by monitoring for unauthorized changes to registry settings that could allow attackers to execute unwanted code through legitimate processes.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: February 9, 2026

Tables

DeviceRegistryEvents

Keywords

DeviceRegistryEvents

Operators

letDeviceRegistryEvents|where!inhas_anyextendtostringsplit

MITRE Techniques

Actions

GitHub