Buzz
If you're unaware, the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options Registry allows users to assign a debugger to a program to automatically launch when the program starts, aiding developers in easily debugging their programs as they execute.
- Unmissable information: Microsoft Defender is now available for personal users.
Windows Defender is now capable of detecting Backdoor utility tools.
This process is achieved by configuring the value 'debugger' in the Image File Execution Options (IFEO) key placed after the program name you want to debug.
For example, suppose you designate the program Notepad2.exe as the debugger for Notepad.exe, then Notepad2.exe will run every time Notepad.exe is launched.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe
'debugger'='d:\notepad2\notepad2.exe /z'
The feature is designed for debugging purposes, yet users can also utilize it in various other scenarios. For instance, if you wish to replace Notepad.exe with another program like Notepad2, you can apply the aforementioned key. Alternatively, you can use the key to configure Task Manager replacement such as Process Explorer instead of launching Taskmgr.exe.
It's worth noting that attackers can also leverage this key to configure backdoors on users' computers or execute malicious software. A typical example is the IFEO key created by malware, automatically launching when users open legitimate applications on their computers. Subsequently, the malware will execute designated programs, applications initially assigned so that victims don't notice anything unusual.
Additionally, Image File Execution Options can also be used to install backdoors on systems booting directly from the Windows lock screen. For example, utility programs like Sticky Keys (sethc.exe) can be launched from the lock screen by pressing Shift key 5 times, and Utility Manager (utilman.exe) can be initiated using the Windows + U keyboard combination.
By creating IFEO keys for these programs and assigning C:\Windows\System32\cmd.exe as the debugger to create a backdoor directly on the Windows lock screen:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe
'debugger'='c:\windows\system32\cmd.exe'
With the configuration key above, on the lock screen, users only need to press Shift key 5 times, immediately the system will automatically open CMD. Even if the command executed under Admin rights allows attackers full system access, victims' computers.
Windows Defender is capable of detecting access attacks
To protect Windows from these types of attacks, Windows Defender antivirus software will detect IFEO keys created to attach to debugger programs like cmd.exe or taskmgr.exe onto utility programs accessible from the lock screen. The application can also detect right on the lock screen so attackers cannot configure when Windows is offline.
These attacks are detected as Win32/AccessibilityEscalation and are the culprit that causes Windows Defender to automatically remove the debugger from the Registry key. Below is an example of how Windows Defender detects the attack when adding C:\Windows\System32\cmd.exe debugger to the sethc.exe IFEO key:
In the example above, Windows Defender will monitor the following utility programs for debuggers that could be used as backdoors:
Other tests show that the detection feature in Windows Defender will be triggered if any of the following debuggers are added to the programs:
c:\windows\system32\cmd.exe
c:\windows\system32\taskmgr.exe
c:\windows\cmd.exe
However, these tests are not exhaustive, Windows Defender can detect other programs and debuggers as well.
There are many cases where Windows Defender is disabled and cannot run on Windows. If you're not using any other antivirus software, this can be very dangerous because your computer can be infected with viruses without being warned. So, if you encounter this situation, proceed to Fixing Windows Defender Disabled Error.
