Manual
  • BluSapphire Manuals
  • BluSapphire
    • Detections
      • Creating "Detections" Using BluSapphire Portal
    • Roles & Permissions
    • Knowledge Base
  • BluGenie
    • Full Function List
      • Add-BluGenieFirewallRule
      • Clear-BlugenieMemory
      • Connect-BluGenieToSystem
      • Convert-BluGenieSID2UserName
      • Convert-BluGenieSize
      • Convert-BluGenieUserName2SID
      • Convert-BluGenieUTCtoLocal
      • ConvertFrom-Yaml
      • ConvertTo-BluGenieDate
      • ConvertTo-Yaml
      • Disable-BluGenieAllFirewallRules
      • Disable-BluGenieFirewallRule
      • Enable-BluGenieAllFirewallRules
      • Enable-BluGenieFirewallRule
      • Enable-BluGenieWinRMoverWMI
      • Expand-BluGenieArchivePS2
      • Format-BluGenieEvent
      • Get-BluGenieADGroupMembers
      • Get-BluGenieADGroups
      • Get-BluGenieADMachineInfo
      • Get-BluGenieAuditProcessTracking
      • Get-BluGenieAutoRuns
      • Get-BluGenieChildItemList
      • Get-BluGenieCOMObjectInfo
      • Get-BluGenieCurrentSessionAliases
      • Get-BluGenieCurrentSessionFunctions
      • Get-BluGenieCurrentSessionVariables
      • Get-BluGenieErrorAction
      • Get-BluGenieFileADS
      • Get-BluGenieFilePermissions
      • Get-BluGenieFileSnapshot
      • Get-BluGenieFileStreams
      • Get-BluGenieFirewallRules
      • Get-BluGenieHashInfo
      • Get-BluGenieHelp
      • Get-BluGenieHostingVersion
      • Get-BluGenieIPrange
      • Get-BluGenieLiteralPath
      • Get-BluGenieLoadedRegHives
      • Get-BluGenieLockingProcess
      • Get-BluGenieMRUActivityView
      • Get-BluGenieProcessList
      • Get-BluGenieRegistry
      • Get-BluGenieRegistryProcessTracking
      • Get-BluGenieRegSnapshot
      • Get-BluGenieRunSpaceSessionAliases
      • Get-BluGenieRunSpaceSessionFunctions
      • Get-BluGenieRunSpaceSessionVariables
      • Get-BluGenieSchTaskInfo
      • Get-BluGenieScriptDirectory
      • Get-BluGenieServiceList
      • Get-BluGenieServiceStatus
      • Get-BluGenieSessionAliasList
      • Get-BluGenieSessionFunctionList
      • Get-BluGenieSessionVariableList
      • Get-BluGenieSettings
      • Get-BluGenieSignature
      • Get-BluGenieSystemInfo
      • Get-BluGenieToolsDirectory
      • Get-BluGenieTranscriptsDir
      • Get-BluGenieTranscriptsFile
      • Get-BluGenieTrapData
      • Get-BluGenieWindowsTitle
      • Get-BluGenieWindowsUpdates
      • Install-BluGenieHarvester
      • Install-BluGenieSysMon
      • Invoke-BluGenieAnalyzer
      • Invoke-BluGenieFileBrowser
      • Invoke-BluGenieLoadAllProfileHives
      • Invoke-BluGenieNetStat
      • Invoke-BluGenieParallel
      • Invoke-BluGenieProcess
      • Invoke-BluGenieProcessHash
      • Invoke-BluGeniePSQuery
      • Invoke-BluGeniePython
      • Invoke-BluGenieSQLLQuery
      • Invoke-BluGenieThreadLock
      • Invoke-BluGenieUnLoadAllProfileHives
      • Invoke-BluGenieWalkThrough
      • Invoke-BluGenieWipe
      • Invoke-BluGenieYara
      • Invoke-PSipcalc
      • Invoke-PSnmap
      • Invoke-SQLiteBulkCopy
      • Invoke-SqliteQuery
      • Invoke-WalkThrough
      • Join-BluGenieObjects
      • New-BluGenieCommand
      • New-BluGenieHelpMenu
      • New-BluGenieService
      • New-BluGenieSessionInfo
      • New-BluGenieTimeStamp
      • New-BluGenieUID
      • New-SQLiteConnection
      • Open-BluGenieLog
      • Open-BluGenieLogDir
      • Open-BluGenieScriptDir
      • Open-BluGenieToolDir
      • Open-BluGenieTransDir
      • Out-DataTable
      • Publish-BluGenieArtifact
      • Publish-BluGenieFirewallRules
      • Remove-BluGenieFile
      • Remove-BluGenieFirewallRule
      • Remove-BluGenieModule
      • Remove-BluGenieService
      • Resolve-BluGenieDnsName
      • Send-BluGenieItem
      • Set-BluGenieAuditProcessPol
      • Set-BluGenieCommands
      • Set-BluGenieCores
      • Set-BluGenieDebugger
      • Set-BluGenieFirewallGPOStatus
      • Set-BluGenieFirewallStatus
      • Set-BluGenieJobId
      • Set-BluGenieJobMemory
      • Set-BluGenieJobTimeout
      • Set-BluGenieNoBanner
      • Set-BluGenieNoExit
      • Set-BluGenieNoSetRes
      • Set-BluGenieParallelCommands
      • Set-BluGeniePostCommands
      • Set-BluGeniePrefetch
      • Set-BluGenieProcessCPUAffinity
      • Set-BluGenieProcessPriority
      • Set-BluGenieRange
      • Set-BluGenieRemoteDesktopProcess
      • Set-BluGenieScriptCredentials
      • Set-BluGenieServiceJob
      • Set-BluGenieSessionInfo
      • Set-BluGenieSettingsPriority
      • Set-BluGenieSystems
      • Set-BluGenieThreadCount
      • Set-BluGenieTrapping
      • Set-BluGenieUpdateMods
      • Set-BluGenieVerbose
      • Show-BluGenieGUI
      • Show-BluGenieMore
      • Start-BluGenieNewProcess
      • Start-BluGenieRunSpace
      • Stop-BluGenieService
      • Test-BluGenieIsFileLocked
      • Test-BluGenieIsMutexAvailable
      • Trace-BluGenieFireWallStatus
      • Update-BluGenieFirewallProfileStatus
      • Update-BluGenieSysinternals
      • Update-Sqlite
      • Write BluGenieVerboseMsg
    • Functions by Category
      • Discovery
        • Registry
        • File/Folder
        • Process
        • System
        • Network
        • ActiveDirectory
      • Execution
        • Registry
        • File/Folder
        • Process
        • System
        • Network
        • Tools
      • Support
    • Artifacts
      • Example Template
      • Tactical Artifacts by Category
        • Combination Query
          • Query Autorun locations for any item nested that is not digitally signed
        • EventLog Query
          • Query for Process execution from unusual directories
          • Query suspicious programs processed by the Task Scheduler using the Event Log
          • Query for unusual instances of rundll32.exe via the Event Log
          • Query for Unusual Instances of rundll32.exe making outbound network connections using SysMon Data
          • Query Suspicious Powershell Command Line Executions
          • Query the Windows System Log for 104, 517, 1102
        • File and Folder Query
          • Query for malicious file types in all users and system temp directories
          • Query Malicious file types from any directory not including the default OS and Install directories
          • Query all users for their Powershell Profile content for Powershell, Powershell_ISE, and VS Code
          • Query to Determine if any lolbin files are installed outside the normal OS and Program Files dir's
        • Network Query
          • Query for Unusual Windows Network Activity
        • Process Query
          • Query for all Processes not running from the Windows and Program Files.* Directories
        • Registry Query
          • Query Information from the Registry on Recentdocs, Recentapps
          • Query Registry for a list of mounted USB storage devices, including external memory cards
          • Query the Most Recently Used items from the Registry
          • Query the Most Recently Open and Saved File information from the Registry
          • Query all Run, RunOnce, and RunOnceEx Registry Keys
          • Query Command list from the MRU Registry List
          • Query Startup Services from the Registry
          • Query Map Network Drives from the Registry
          • Query Shell Folders and User Shell Folders from both the HKLM and HKU Registry Information
          • Query Typed Urls from the Registry
          • Query Current Control Set Services information from the Registry
          • Query Accessibility Features from Image File Execution Options from the Registry
          • Query the Registry for Commands that are automatically executed each time cmd.exe is run
          • Query the Registry for Mounted Device information
          • Query the Registry for Browser Helper Objects (BHO)
          • Query the Registry for Explore Run commands
          • Query the Registry for Winlogon Helper Dll's
          • Query the Registry for Active Setup information
          • Query the Registry for Bypassing UAC Mechanisms from the User-Accessible information
          • Query the Registry for User-Logon, and Startup Scripts
          • Query the Registry for the most common MRU information for All User Hives, including offline users
          • Query the Registry for any user, using the SysInternals Tools
Powered by GitBook
On this page
  1. BluGenie
  2. Artifacts
  3. Tactical Artifacts by Category
  4. Registry Query

Query Accessibility Features from Image File Execution Options from the Registry

AID2112302043.YAML

#####aid_begin
#description: fetch the information on accessibility features from image file execution options
#id: aid2112302043
#processtype: query
#category: registry
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  invoke-loadallprofilehives
#  get-bgloadedreghives
#  get-bgmruactivityview
#  invoke-bgunloadallprofilehives
#notes: |-
#  adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by image file execution options (ifeo) debuggers. ifeos enable a developer to attach a debugger to an application. when a process is created, a debugger present in an application’s ifeo will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., c:\dbg\ntsd.exe -g notepad.exe).
#####aid_end
commands:
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" -MatchValue -MatchData -Pattern 'Debugger'
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" -MatchValue -MatchData -Pattern 'Debugger'
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" -MatchValue -MatchData -Pattern 'Debugger'
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AtBroker.exe" -MatchValue -MatchData -Pattern 'Debugger'
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" -MatchValue -MatchData -Pattern 'Debugger'
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe" -MatchValue -MatchData -Pattern 'Debugger'
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" -MatchValue -MatchData -Pattern 'Debugger'
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" -MatchValue -MatchData -Pattern 'Debugger'
PreviousQuery Current Control Set Services information from the RegistryNextQuery the Registry for Commands that are automatically executed each time cmd.exe is run

Last updated 3 years ago