New Sophos Support Phone Numbers in Effect July 1st, 2023

Browse Live Discover and Response Queries by Category
Approved

This query is one you are recommended to read the FULL context of the post to use. It is not simply a copy and paste query, like others in the forum. It is valuable under the right situation.

Live Discover Query - IFEO (someone had to mention it)

 REVIEWED by Sophos 

No list of queries would be complete without at least one which focused on the "Image File Execution Options" or IFEO keys.

In short, the IEFO key can be used to alter the behaviour of a given process at start-up. It is primarily used for developers although I see in recent times, Windows sets a 'MitigationOptions' (REG_QWORD) value to configure the mitigations applied to the process.

If you wish to learn more, the Debugging Tools for Windows (ADK/SDK) comes with a utility called gflags to help set values for this key. The associated documentation for this is probably the best source on the key and possible values.

That said, from a security perspective, it can be abused (TrickBot jumps to mind), either by setting ridiculous values such that a process can't operate as intended, or simply by adding and setting a 'Debugger' REG_SZ value to prevent the process from launching.  As the name of the 'Debugger' value suggests, its primary function is to aid a developer in debugging a process.   

The following query will show all the keys (which is also the process name for identification purposes) where a 'Debugger' value exists and its value.  

select key,name,data,datetime(mtime,'unixepoch') as ModifiedTime from registry where path like 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%\Debugger';

Note: The 'mtime' is the modified time of the key, which could be helpful to know when something nefarious took place.

Any value returned would be cause to raise an eyebrow, although I have seen it used for genuine reasons.  For example, for those of you using Process Explorer (Sysinternals) and have set the option for it to replace TaskManager, you will see an entry for taskmgr.exe, the 'Debugger' value pointing at where you have Procexp.exe on disk.  I am sure this isn't the only software that uses it so if you find too many FPs you could maybe join the path of the value on the data in the sophos_file_properties to get reputation values.

One additional thing, if you explore this IFEO key, don't be concerned about all the Sophos process keys; Sophos Endpoint Defense, protects the Sophos processes from this IFEO key abuse and why there is an entry for each of the Sophos processes.

Regards,
Jak

jak
Unfiltered HTML