图像文件执行选项注入

图像文件执行选项（IFEO）使开发人员可以将调试器附加到应用程序。创建进程后，应用程序IFEO中存在的调试器将以该应用程序的名称为前缀，从而在调试器下有效地启动新进程（例如，“ C:\dbg\ ntsd.exe -g notepad.exe”）。

程序示例

名称	描述
TEMP.Veles(G0088)	TEMP.Veles(G0088)已修改并添加了其中的条目HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options以保持持久性。

Name	Description
TEMP.Veles(G0088)	TEMP.Veles(G0088) has modified and added entries within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options to maintain persistence.

缓解措施

这种攻击技术无法通过预防性控制轻松缓解，因为它基于滥用系统功能。

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

检测

监视在异常父项下和/或带有指示调试的创建标志（例如DEBUG_PROCESS和）下产生的常见进程DEBUG_ONLY_THIS_PROCESS。

监视与IFEO相关的注册表值以及静默进程退出监视，以进行与已知软件，补丁程序周期等不相关的修改。监视和分析指示注册表编辑的应用程序编程接口（API）调用，例如RegCreateKeyEx和RegSetValueEx。

Monitor for common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. [1]

Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx.

- 译者: 林妙倩、戴亦仑 . source:cve.scap.org.cn