Image File Execution Options (IFEO) allows one to launch an executable directly under the debugger. It gives the developer the option to debug their software to investigate issues in the executable's startup code. A developer can create a subkey with the name of his/her executable under the following registry key and set the debugger value to the path of the debugger:

Key: "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options<executable name>"
Value: Debugger : REG_SZ : <full-path to the debugger>

Adversaries take advantage of this registry key to launch their malicious program. To demonstrate this technique, the debugger for notepad.exe is set to a calculator (calc.exe) process by adding the following registry entry:

Now, when you start notepad, it will be launched by a calculator program (even though it is not a debugger). This behavior can be seen in the following screenshot:

The following is an example of a malware sample (TrojanSpy:Win32/Small.M) that configures its malicious program, iexplor.exe, as a debugger for internet explorer, (iexplore.exe). This is achieved by adding the following registry value. In this case, the attackers chose a filename that looks similar to the legitimate internet explorer executable name. Due to the following registry entry, whenever the legitimate internet explorer (iexplore.exe) is executed, it will be launched by the malicious program iexplor.exe, thereby executing the malicious code:

[RegSetValue] LSASSMGR.EXE:960 > HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsiexplore.exeDebugger = C:Program FilesInternet Exploreriexplor.exe

To detect this type of persistence technique, you can inspect the Image File Execution Options registry entry for any modifications not related to the legitimate programs.