#####aid_begin
#description: fetch the information on accessibility features from image file execution options
#id: aid2112302043
#processtype: query
#category: registry
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  invoke-loadallprofilehives
#  get-bgloadedreghives
#  get-bgmruactivityview
#  invoke-bgunloadallprofilehives
#notes: |-
#  adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by image file execution options (ifeo) debuggers. ifeos enable a developer to attach a debugger to an application. when a process is created, a debugger present in an application’s ifeo will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., c:\dbg\ntsd.exe -g notepad.exe).
#####aid_end
commands:
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" -MatchValue -MatchData -Pattern 'Debugger'
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" -MatchValue -MatchData -Pattern 'Debugger'
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" -MatchValue -MatchData -Pattern 'Debugger'
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AtBroker.exe" -MatchValue -MatchData -Pattern 'Debugger'
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" -MatchValue -MatchData -Pattern 'Debugger'
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe" -MatchValue -MatchData -Pattern 'Debugger'
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" -MatchValue -MatchData -Pattern 'Debugger'
- Get-BGRegistry -StartKey "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" -MatchValue -MatchData -Pattern 'Debugger'