Which SIEM platforms have a T1480 detection rule?

df00tech provides T1480 (Execution Guardrails) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Execution Guardrails (T1480)?

Detecting Execution Guardrails requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1480 detection?

The T1480 detection is rated medium severity with medium confidence.

What are common false positives for T1480?

Common false positives for T1480 include: Legitimate deployment scripts (SCCM, Group Policy) that check domain membership or hostname before applying configuration — typically parent process is svchost.exe or ccmexec.exe, not a LOLBin; Monitoring and inventory agents (Tanium, Qualys, SolarWinds) that enumerate network adapter properties or system info — whitelist by exact parent process name; IT automation tools (PDQ Deploy, Altiris) that verify target environment before running installation packages.

T1480

Execution Guardrails

Defense Evasion Last updated: April 13, 2026

Adversaries may use execution guardrails to constrain execution or actions based on adversary-supplied and environment-specific conditions expected to be present on the target. Guardrails ensure a payload only executes against an intended target, reducing collateral damage from an adversary's campaign. Values used as guardrails include specific volume serial numbers, hostnames, Active Directory domain membership, IP addresses, the presence of specific files or processes, and specific command-line arguments. This technique is distinct from Virtualization/Sandbox Evasion (T1497): sandbox evasion avoids any analysis environment, while guardrails require a specific target environment to be confirmed before execution proceeds. Real-world examples include DEADEYE verifying volume serial number and hostname, Exbyte checking for a configuration file before completing execution, TONESHELL checking for ESET security processes (ekrn.exe, egui.exe) before injecting into waitfor.exe, BPFDoor using a PID mutex file at /var/run/haldrund.pid, RansomHub terminating if the machine appears on an allowlist, and Small Sieve requiring the literal keyword 'Platypus' as a command-line argument.

What is T1480 Execution Guardrails?

Execution Guardrails (T1480) maps to the Defense Evasion tactic — the adversary is trying to avoid being detected in MITRE ATT&CK.

This page provides production-ready detection logic for Execution Guardrails, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated medium severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1480 Execution Guardrails
Canonical reference: https://attack.mitre.org/techniques/T1480/

Microsoft Sentinel / Defender

kusto

// T1480 Execution Guardrails — Environmental fingerprinting from suspicious execution contexts
// Detects processes performing target-validation checks (volume serial, hostname/domain, network identity,
// file presence, process presence) launched from LOLBin or script host parents.
// These behaviors are consistent with guardrail-enabled malware verifying it is on an intended target.
let ScriptHostsAndLolbins = dynamic([
    "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe",
    "regsvr32.exe", "msiexec.exe", "installutil.exe", "cmstp.exe",
    "powershell.exe", "pwsh.exe"
]);
let VolumeSerialPatterns = dynamic([
    "VolumeSerialNumber", "Win32_LogicalDisk",
    "vol c:", "vol d:", "vol e:", "fsutil volume"
]);
let DomainHostnamePatterns = dynamic([
    "Win32_ComputerSystem", "DNSDomain", "userdnsdomain",
    "logonserver", "nltest /domain_trusts", "nltest /dclist"
]);
let NetworkFingerprintPatterns = dynamic([
    "Win32_NetworkAdapterConfiguration", "MACAddress",
    "DefaultIPGateway", "Win32_NetworkAdapter"
]);
let FilePresencePatterns = dynamic([
    "if exist", "if not exist", "Test-Path",
    "haldrund.pid", "irc.pid"
]);
let ProcessPresencePatterns = dynamic([
    "ekrn.exe", "egui.exe",
    "tasklist /FI", "Get-Process -Name"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (ScriptHostsAndLolbins)
    or (FileName in~ ("wmic.exe", "nltest.exe") and InitiatingProcessFileName in~ (ScriptHostsAndLolbins))
| where ProcessCommandLine has_any (VolumeSerialPatterns)
    or ProcessCommandLine has_any (DomainHostnamePatterns)
    or ProcessCommandLine has_any (NetworkFingerprintPatterns)
    or ProcessCommandLine has_any (FilePresencePatterns)
    or ProcessCommandLine has_any (ProcessPresencePatterns)
| extend GuardrailType = case(
    ProcessCommandLine has_any (VolumeSerialPatterns), "VolumeSerial",
    ProcessCommandLine has_any (DomainHostnamePatterns), "DomainOrHostname",
    ProcessCommandLine has_any (NetworkFingerprintPatterns), "NetworkIdentity",
    ProcessCommandLine has_any (FilePresencePatterns), "FilePresence",
    ProcessCommandLine has_any (ProcessPresencePatterns), "ProcessPresence",
    "Unknown"
)
| extend RiskScore = case(
    GuardrailType == "VolumeSerial", 3,
    GuardrailType == "ProcessPresence" and ProcessCommandLine has_any ("ekrn.exe", "egui.exe"), 3,
    GuardrailType in ("DomainOrHostname", "FilePresence", "ProcessPresence"), 2,
    1
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         GuardrailType, RiskScore
| sort by RiskScore desc, Timestamp desc

Detects execution guardrail patterns where processes launched from suspicious parent executables (LOLBins, script hosts) query environment-specific properties such as volume serial numbers, domain/hostname, network adapter MAC address, file presence, or named process presence. These fingerprinting behaviors from script host or LOLBin parents are consistent with targeted malware validating the intended victim environment before releasing a payload. Volume serial checks and security-product process checks receive the highest risk score (3) due to near-zero legitimate use from these parent contexts. Domain/hostname and file presence checks score 2. Uses has_any for case-insensitive partial matching.

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate deployment scripts (SCCM, Group Policy) that check domain membership or hostname before applying configuration — typically parent process is svchost.exe or ccmexec.exe, not a LOLBin
Monitoring and inventory agents (Tanium, Qualys, SolarWinds) that enumerate network adapter properties or system info — whitelist by exact parent process name
IT automation tools (PDQ Deploy, Altiris) that verify target environment before running installation packages
Developer environment setup scripts that check for specific environments (dev/staging/prod) using hostname or domain name
Backup software (Veeam, Acronis) that queries volume serial numbers for backup source identification — typically runs as a known service account

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval cmd=lower(CommandLine), parent=lower(ParentImage)
| eval IsSuspiciousParent=if(match(parent, "(wscript|cscript|mshta|rundll32|regsvr32|msiexec|installutil|cmstp|powershell|pwsh)\\.exe$"), 1, 0)
| eval VolumeSerialCheck=if(match(cmd, "(volumeserialnumber|win32_logicaldisk|vol\\s+[c-z]:|fsutil\\s+volume)"), 1, 0)
| eval DomainHostnameCheck=if(match(cmd, "(win32_computersystem|dnsdomain|userdnsdomain|logonserver|nltest\\s+/(domain_trusts|dclist))"), 1, 0)
| eval NetworkFingerprintCheck=if(match(cmd, "(win32_networkadapterconfiguration|macaddress|defaultipgateway)"), 1, 0)
| eval FilePresenceCheck=if(match(cmd, "(if\\s+(not\\s+)?exist|test-path|haldrund\\.pid|irc\\.pid)"), 1, 0)
| eval ProcessPresenceCheck=if(match(cmd, "(ekrn\\.exe|egui\\.exe|tasklist\\s+/fi|get-process\\s+-name)"), 1, 0)
| eval GuardrailScore=VolumeSerialCheck + DomainHostnameCheck + NetworkFingerprintCheck + FilePresenceCheck + ProcessPresenceCheck
| where GuardrailScore > 0 AND IsSuspiciousParent=1
| eval GuardrailType=case(
    VolumeSerialCheck=1, "VolumeSerial",
    DomainHostnameCheck=1, "DomainOrHostname",
    NetworkFingerprintCheck=1, "NetworkIdentity",
    FilePresenceCheck=1, "FilePresence",
    ProcessPresenceCheck=1, "ProcessPresence",
    true(), "Unknown")
| eval RiskScore=case(
    VolumeSerialCheck=1, 3,
    ProcessPresenceCheck=1 AND match(cmd, "(ekrn\\.exe|egui\\.exe)"), 3,
    DomainHostnameCheck=1 OR FilePresenceCheck=1 OR ProcessPresenceCheck=1, 2,
    true(), 1)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        GuardrailType, GuardrailScore, RiskScore
| sort - RiskScore, - _time

Detects execution guardrail patterns using Sysmon Event ID 1 (Process Creation). Evaluates command lines of child processes launched from LOLBins and script hosts against five guardrail categories: volume serial number queries, domain/hostname checks, network identity enumeration, file presence tests, and process presence checks. A composite GuardrailScore (sum of matched categories) and RiskScore (highest-risk category) help prioritize alerts. Volume serial checks and security-product process checks (ESET ekrn.exe/egui.exe) score highest at 3.

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate deployment scripts checking domain membership or hostname before applying configuration
Monitoring and inventory agents enumerating network adapter properties or system info for asset tracking
IT automation tools verifying target environment before running installation packages
Developer scripts checking for environment type (dev/staging/prod) via hostname or domain
Backup software querying volume serial numbers for source identification when launched via a management console

Elastic Security (EQL)

eql

process where event.type == "start" and
  process.parent.name : ("wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe",
                          "regsvr32.exe", "msiexec.exe", "installutil.exe", "cmstp.exe",
                          "powershell.exe", "pwsh.exe") and
  process.command_line : (
    "*VolumeSerialNumber*", "*Win32_LogicalDisk*", "*vol c:*", "*vol d:*", "*vol e:*", "*fsutil volume*",
    "*Win32_ComputerSystem*", "*DNSDomain*", "*userdnsdomain*", "*logonserver*",
    "*nltest*/domain_trusts*", "*nltest*/dclist*",
    "*Win32_NetworkAdapterConfiguration*", "*MACAddress*", "*DefaultIPGateway*", "*Win32_NetworkAdapter*",
    "*if exist*", "*if not exist*", "*Test-Path*", "*haldrund.pid*", "*irc.pid*",
    "*ekrn.exe*", "*egui.exe*", "*tasklist*/FI*", "*Get-Process*-Name*"
  )

Detects child processes of LOLBins and script hosts whose command lines contain environmental fingerprinting patterns consistent with T1480 Execution Guardrails. Covers volume serial number queries via WMI or fsutil, domain and hostname enumeration via WMI or nltest, network adapter MAC and gateway checks, file presence tests using cmd.exe conditionals or PowerShell Test-Path, and process presence checks including ESET-specific binary names used by TONESHELL-style guardrails. Requires Elastic Endpoint or Sysmon via Winlogbeat with process command line collection enabled.

high severity high confidence

Data Sources

Elastic Endpoint Security (logs-endpoint.events.process-*) Winlogbeat with Sysmon Module (winlogbeat-*) Elastic Agent with Windows Integration

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

SCCM or Ansible inventory agents launched via WMI providers querying Win32_ComputerSystem or Win32_LogicalDisk for hardware asset discovery — these will match domain/hostname and volume serial patterns when a script host is the initiating process
Software license enforcement routines in commercial installers (e.g., AutoCAD, Adobe) that use msiexec or installutil as parent and spawn scripts checking volume serial numbers or hostnames for node-locked license validation
Remote monitoring and management tools (ConnectWise Automate, N-able, Datto RMM) that execute PowerShell or cscript diagnostics checking domain trust relationships via nltest or enumerating network adapters via WMI for asset inventory

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  "deviceName" AS hostname,
  username,
  QIDNAME(qid) AS event_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process_name,
  LOGSOURCENAME(logsourceid) AS log_source,
  CASE
    WHEN LOWER("Command") ILIKE '%volumeserialnumber%'
      OR LOWER("Command") ILIKE '%win32_logicaldisk%'
      OR LOWER("Command") ILIKE '%fsutil volume%'
      OR LOWER("Command") ILIKE '%vol c:%'
      OR LOWER("Command") ILIKE '%vol d:%' THEN 'VolumeSerial'
    WHEN LOWER("Command") ILIKE '%win32_computersystem%'
      OR LOWER("Command") ILIKE '%dnsdomain%'
      OR LOWER("Command") ILIKE '%userdnsdomain%'
      OR LOWER("Command") ILIKE '%logonserver%'
      OR LOWER("Command") ILIKE '%nltest%domain_trusts%'
      OR LOWER("Command") ILIKE '%nltest%dclist%' THEN 'DomainOrHostname'
    WHEN LOWER("Command") ILIKE '%win32_networkadapterconfiguration%'
      OR LOWER("Command") ILIKE '%macaddress%'
      OR LOWER("Command") ILIKE '%defaultipgateway%' THEN 'NetworkIdentity'
    WHEN LOWER("Command") ILIKE '%if exist%'
      OR LOWER("Command") ILIKE '%if not exist%'
      OR LOWER("Command") ILIKE '%test-path%'
      OR LOWER("Command") ILIKE '%haldrund.pid%'
      OR LOWER("Command") ILIKE '%irc.pid%' THEN 'FilePresence'
    WHEN LOWER("Command") ILIKE '%ekrn.exe%'
      OR LOWER("Command") ILIKE '%egui.exe%'
      OR LOWER("Command") ILIKE '%tasklist%/fi%'
      OR LOWER("Command") ILIKE '%get-process%-name%' THEN 'ProcessPresence'
    ELSE 'Unknown'
  END AS guardrail_type,
  CASE
    WHEN LOWER("Command") ILIKE '%volumeserialnumber%'
      OR LOWER("Command") ILIKE '%win32_logicaldisk%'
      OR LOWER("Command") ILIKE '%fsutil volume%' THEN 3
    WHEN LOWER("Command") ILIKE '%ekrn.exe%'
      OR LOWER("Command") ILIKE '%egui.exe%' THEN 3
    WHEN LOWER("Command") ILIKE '%win32_computersystem%'
      OR LOWER("Command") ILIKE '%dnsdomain%'
      OR LOWER("Command") ILIKE '%if exist%'
      OR LOWER("Command") ILIKE '%test-path%'
      OR LOWER("Command") ILIKE '%get-process%-name%' THEN 2
    ELSE 1
  END AS risk_score
FROM events
WHERE
  starttime > NOW() - 86400000
  AND (
    LOWER("Parent Process Name") ILIKE '%wscript.exe'
    OR LOWER("Parent Process Name") ILIKE '%cscript.exe'
    OR LOWER("Parent Process Name") ILIKE '%mshta.exe'
    OR LOWER("Parent Process Name") ILIKE '%rundll32.exe'
    OR LOWER("Parent Process Name") ILIKE '%regsvr32.exe'
    OR LOWER("Parent Process Name") ILIKE '%msiexec.exe'
    OR LOWER("Parent Process Name") ILIKE '%installutil.exe'
    OR LOWER("Parent Process Name") ILIKE '%cmstp.exe'
    OR LOWER("Parent Process Name") ILIKE '%powershell.exe'
    OR LOWER("Parent Process Name") ILIKE '%pwsh.exe'
  )
  AND (
    LOWER("Command") ILIKE '%volumeserialnumber%'
    OR LOWER("Command") ILIKE '%win32_logicaldisk%'
    OR LOWER("Command") ILIKE '%fsutil volume%'
    OR LOWER("Command") ILIKE '%win32_computersystem%'
    OR LOWER("Command") ILIKE '%dnsdomain%'
    OR LOWER("Command") ILIKE '%userdnsdomain%'
    OR LOWER("Command") ILIKE '%logonserver%'
    OR LOWER("Command") ILIKE '%nltest%domain_trusts%'
    OR LOWER("Command") ILIKE '%nltest%dclist%'
    OR LOWER("Command") ILIKE '%win32_networkadapterconfiguration%'
    OR LOWER("Command") ILIKE '%macaddress%'
    OR LOWER("Command") ILIKE '%defaultipgateway%'
    OR LOWER("Command") ILIKE '%if exist%'
    OR LOWER("Command") ILIKE '%test-path%'
    OR LOWER("Command") ILIKE '%haldrund.pid%'
    OR LOWER("Command") ILIKE '%irc.pid%'
    OR LOWER("Command") ILIKE '%ekrn.exe%'
    OR LOWER("Command") ILIKE '%egui.exe%'
    OR LOWER("Command") ILIKE '%tasklist%/fi%'
    OR LOWER("Command") ILIKE '%get-process%-name%'
  )
ORDER BY risk_score DESC, starttime DESC
LIMIT 1000

AQL query for QRadar targeting process creation events (typically sourced from Windows Security Event 4688 with command line auditing or Sysmon Event 1 via a DSM) where the parent process is a known LOLBin or script interpreter and the child command line contains environmental fingerprinting patterns consistent with T1480 Execution Guardrails. Field names 'Command', 'Process Name', and 'Parent Process Name' follow the QRadar Windows Security DSM normalisation — adjust to match your local DSM property mappings if divergent. Risk scoring and guardrail type classification mirror the Sentinel and Splunk baselines for cross-platform consistency.

high severity medium confidence

Data Sources

QRadar Windows Security Events DSM (Event ID 4688 with process command line auditing) QRadar Sysmon DSM (Event ID 1) Microsoft Windows Security Event Log via WinCollect or syslog

Required Tables

events

False Positives

Enterprise patch management agents (WSUS, SCCM, Ivanti) that invoke PowerShell or msiexec as parent processes and spawn child scripts querying Win32_LogicalDisk for target disk space or Win32_ComputerSystem for OS version before applying patches
IT automation frameworks (Ansible WinRM, Puppet, Chef) executing scripts via cscript or wscript that verify domain membership or enumerate network adapter configuration as pre-flight checks before applying configuration baselines
Legitimate software license managers (FlexNet, Sentinel RMS) that spawn child processes from installutil or rundll32 to check volume serial numbers or hostnames for node-locked license enforcement

Sumo Logic CSE

sql

(_sourceCategory="*windows*sysmon*" OR _sourceCategory="*winlogbeat*" OR _sourceCategory="*wineventlog*")
| where EventID = "1" OR EventCode = "1"
| eval cmd = toLowerCase(CommandLine)
| eval parent = toLowerCase(ParentImage)
| where parent matches "*\\wscript.exe"
  OR parent matches "*\\cscript.exe"
  OR parent matches "*\\mshta.exe"
  OR parent matches "*\\rundll32.exe"
  OR parent matches "*\\regsvr32.exe"
  OR parent matches "*\\msiexec.exe"
  OR parent matches "*\\installutil.exe"
  OR parent matches "*\\cmstp.exe"
  OR parent matches "*\\powershell.exe"
  OR parent matches "*\\pwsh.exe"
| eval VolumeSerialCheck = if(cmd matches "*volumeserialnumber*" OR cmd matches "*win32_logicaldisk*" OR cmd matches "*fsutil volume*" OR cmd matches "*vol c:*" OR cmd matches "*vol d:*", 1, 0)
| eval DomainHostnameCheck = if(cmd matches "*win32_computersystem*" OR cmd matches "*dnsdomain*" OR cmd matches "*userdnsdomain*" OR cmd matches "*logonserver*" OR cmd matches "*nltest*domain_trusts*" OR cmd matches "*nltest*dclist*", 1, 0)
| eval NetworkFingerprintCheck = if(cmd matches "*win32_networkadapterconfiguration*" OR cmd matches "*macaddress*" OR cmd matches "*defaultipgateway*" OR cmd matches "*win32_networkadapter*", 1, 0)
| eval FilePresenceCheck = if(cmd matches "*if exist*" OR cmd matches "*if not exist*" OR cmd matches "*test-path*" OR cmd matches "*haldrund.pid*" OR cmd matches "*irc.pid*", 1, 0)
| eval ProcessPresenceCheck = if(cmd matches "*ekrn.exe*" OR cmd matches "*egui.exe*" OR cmd matches "*tasklist*/fi*" OR cmd matches "*get-process*-name*", 1, 0)
| eval GuardrailScore = VolumeSerialCheck + DomainHostnameCheck + NetworkFingerprintCheck + FilePresenceCheck + ProcessPresenceCheck
| where GuardrailScore > 0
| eval GuardrailType = if(VolumeSerialCheck = 1, "VolumeSerial",
    if(DomainHostnameCheck = 1, "DomainOrHostname",
    if(NetworkFingerprintCheck = 1, "NetworkIdentity",
    if(FilePresenceCheck = 1, "FilePresence",
    if(ProcessPresenceCheck = 1, "ProcessPresence", "Unknown")))))
| eval RiskScore = if(VolumeSerialCheck = 1, 3,
    if(ProcessPresenceCheck = 1 AND (cmd matches "*ekrn.exe*" OR cmd matches "*egui.exe*"), 3,
    if(DomainHostnameCheck = 1 OR FilePresenceCheck = 1 OR ProcessPresenceCheck = 1, 2, 1)))
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, GuardrailType, GuardrailScore, RiskScore
| sort by RiskScore desc, _messageTime desc

Sumo Logic query for T1480 Execution Guardrails targeting Sysmon Event ID 1 (Process Create) where a LOLBin or script interpreter is the parent process and the child command line contains environmental fingerprinting patterns. Covers all five guardrail categories (volume serial, domain/hostname, network identity, file presence, process presence) with per-event scoring consistent with the Sentinel and Splunk baselines. Adjust _sourceCategory values to match your Sysmon or Winlogbeat source configuration. Requires Sysmon deployed with ProcessCreate logging and command line capture enabled in sysmonconfig.xml.

high severity high confidence

Data Sources

Sumo Logic Sysmon App (Sysmon Event ID 1) Sumo Logic Windows App (Security Event 4688 with command line auditing) Winlogbeat forwarding to Sumo Logic HTTP Source

Required Tables

Sysmon Event ID 1 — Process Create

False Positives

Group Policy-triggered PowerShell scripts that run at logon or machine startup and use Test-Path or 'if exist' to conditionally apply configuration depending on whether a machine is in a specific OU or has specific software installed
Software deployment orchestrators (PDQ Deploy, ManageEngine Desktop Central) that use msiexec or installutil as parent processes while child scripts verify target OS domain membership or available disk volumes before staging installation packages
Endpoint hardening and CIS benchmark scripts executed via scheduled tasks under wscript or cscript that enumerate running processes including known AV/EDR binaries to determine hardening profile applicability

Google Chronicle / SecOps

yaral

rule t1480_execution_guardrails_env_fingerprinting {
  meta:
    author = "Detection Engineering"
    description = "Detects processes spawned by LOLBins or script hosts performing environmental fingerprinting consistent with T1480 Execution Guardrails — volume serial checks, domain/hostname enumeration, network adapter queries, file/process presence validation"
    severity = "HIGH"
    tactic = "Defense Evasion"
    technique = "T1480"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1480/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path != ""
    $e.target.process.command_line != ""

    // Parent must be a LOLBin or script interpreter
    re.regex($e.principal.process.file.full_path,
      `(?i)(wscript|cscript|mshta|rundll32|regsvr32|msiexec|installutil|cmstp|powershell|pwsh)\.exe$`)

    // Child command line must contain at least one guardrail fingerprinting pattern
    (
      re.regex($e.target.process.command_line,
        `(?i)(volumeserialnumber|win32_logicaldisk|vol\s+[c-z]:|fsutil\s+volume)`) or
      re.regex($e.target.process.command_line,
        `(?i)(win32_computersystem|dnsdomain|userdnsdomain|logonserver|nltest.*(domain_trusts|dclist))`) or
      re.regex($e.target.process.command_line,
        `(?i)(win32_networkadapterconfiguration|macaddress|defaultipgateway|win32_networkadapter)`) or
      re.regex($e.target.process.command_line,
        `(?i)(if\s+(not\s+)?exist|test-path|haldrund\.pid|irc\.pid)`) or
      re.regex($e.target.process.command_line,
        `(?i)(ekrn\.exe|egui\.exe|tasklist\s+/fi|get-process\s+-name)`)
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule for T1480 Execution Guardrails triggering on PROCESS_LAUNCH UDM events where the principal (parent) process path matches a LOLBin or script interpreter and the target (spawned) process command line contains environmental fingerprinting patterns. Five guardrail categories covered: volume serial number queries, domain/hostname WMI enumeration, network adapter MAC/gateway checks, cmd.exe or PowerShell file presence tests, and process presence checks including ESET security binary names used by TONESHELL. Requires Chronicle ingestion of Windows endpoint telemetry with process lineage and command line fields populated in the UDM principal/target model.

high severity high confidence

Data Sources

Chronicle UDM — Windows Endpoint Events (PROCESS_LAUNCH) Google Security Operations SIEM with Mandiant Endpoint or Carbon Black/CrowdStrike ingestion Chronicle Ingestion API with Sysmon XML parser (process create events)

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Enterprise software deployment pipelines (Chocolatey, Winget, Scoop) where PowerShell is the parent and child scripts perform pre-flight checks including Test-Path or Win32_ComputerSystem queries to verify installation prerequisites before committing package installation
RMM agents (ConnectWise Automate, N-able, Kaseya) that routinely execute script-host-spawned diagnostics checking domain trust relationships via nltest or enumerating network adapters via WMI for managed device inventory
Anti-virus or EDR deployment scripts executed under msiexec that explicitly check for the presence of competing security products — including ESET binaries ekrn.exe and egui.exe — to prevent compatibility conflicts during installation or upgrade

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ParentBaseFileName = /(?i)^(wscript|cscript|mshta|rundll32|regsvr32|msiexec|installutil|cmstp|powershell|pwsh)\.exe$/
| CommandLine = /(?i)(volumeserialnumber|win32_logicaldisk|fsutil\s+volume|vol\s+[c-z]:|win32_computersystem|dnsdomain|userdnsdomain|logonserver|nltest.*(domain_trusts|dclist)|win32_networkadapterconfiguration|macaddress|defaultipgateway|win32_networkadapter|if\s+(not\s+)?exist|test-path|haldrund\.pid|irc\.pid|ekrn\.exe|egui\.exe|tasklist.*\/fi|get-process\s+-name)/
| VolumeSerial := if(CommandLine = /(?i)(volumeserialnumber|win32_logicaldisk|fsutil\s+volume|vol\s+[c-z]:)/, 1, 0)
| DomainHostname := if(CommandLine = /(?i)(win32_computersystem|dnsdomain|userdnsdomain|logonserver|nltest.*(domain_trusts|dclist))/, 1, 0)
| NetworkFingerprint := if(CommandLine = /(?i)(win32_networkadapterconfiguration|macaddress|defaultipgateway)/, 1, 0)
| FilePresence := if(CommandLine = /(?i)(if\s+(not\s+)?exist|test-path|haldrund\.pid|irc\.pid)/, 1, 0)
| ProcessPresence := if(CommandLine = /(?i)(ekrn\.exe|egui\.exe|tasklist.*\/fi|get-process\s+-name)/, 1, 0)
| EsetCheck := if(CommandLine = /(?i)(ekrn\.exe|egui\.exe)/, 1, 0)
| RiskScore := if(VolumeSerial = 1, 3, if(EsetCheck = 1, 3, if(DomainHostname = 1 OR FilePresence = 1 OR ProcessPresence = 1, 2, 1)))
| GuardrailType := case {
    VolumeSerial = 1 | "VolumeSerial" ;
    DomainHostname = 1 | "DomainOrHostname" ;
    NetworkFingerprint = 1 | "NetworkIdentity" ;
    FilePresence = 1 | "FilePresence" ;
    ProcessPresence = 1 | "ProcessPresence" ;
    * | "Unknown"
  }
| select([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, GuardrailType, RiskScore])
| sort(RiskScore, order=desc)

CrowdStrike Falcon LogScale (CQL) query for T1480 Execution Guardrails filtering ProcessRollup2 events where the ParentBaseFileName matches a LOLBin or script interpreter and the CommandLine contains environmental fingerprinting patterns consistent with targeted malware performing target validation before payload execution. Covers all five guardrail categories with risk scoring matching the Sentinel and Splunk baselines. ESET process checks (ekrn.exe, egui.exe) receive elevated risk score of 3 consistent with TONESHELL TTPs. Requires Falcon sensor with full process telemetry and command line capture configured; ProcessRollup2 events must be present in the LogScale repository.

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor — ProcessRollup2 events Falcon LogScale (Humio) ingestion pipeline CrowdStrike Falcon Data Replicator (FDR) feed

Required Tables

ProcessRollup2

False Positives

Falcon-managed endpoints running CrowdStrike RTR (Real Time Response) PowerShell scripts that enumerate WMI classes or check domain membership and network configuration for scoping incident response actions — RTR parent processes may appear as powershell.exe spawning diagnostic commands
Software packaging tools (InstallShield, NSIS, Advanced Installer) that spawn script hosts or rundll32 during installation to fingerprint the target system's volume serial number or OS domain for activation, licensing, or feature-gating purposes
Endpoint management agents (Tanium, BigFix, Ivanti Neurons) where the management client acts as the initiating process and spawns diagnostic scripts that check for running security processes or enumerate network adapter configuration as part of compliance posture assessment workflows

Sigma rule & cross-platform mapping

The detection logic for Execution Guardrails (T1480) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1480 Sigma rules on detection.fyi

Platform-specific guides for T1480

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (9)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Volume Serial Number Enumeration via WMIC
Expected signal: Sysmon Event ID 1: Process Create with Image containing wmic.exe, CommandLine containing 'VolumeSerialNumber' and 'Win32_LogicalDisk'. Security Event ID 4688 (if command-line auditing enabled). WMI Activity Event ID 5861 in Microsoft-Windows-WMI-Activity/Operational showing the Win32_LogicalDisk query. Defender MDE: DeviceProcessEvents row with FileName=wmic.exe.
Test 2Hostname and Domain Membership Check via PowerShell WMI
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_ComputerSystem'. PowerShell ScriptBlock Log Event ID 4104 showing the WMI query in clear text. WMI Activity Event ID 5861 for the Win32_ComputerSystem query with property names Name, Domain, DNSDomain.
Test 3File Presence Guardrail Check via CMD
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'if exist'. Sysmon Event ID 11: File Create for the %TEMP%\df00tech-guard.cfg file. Security Event ID 4688 showing the full command with conditional logic.
Test 4Security Product Process Check via Tasklist
Expected signal: Sysmon Event ID 1: Two process creation events — cmd.exe spawning tasklist.exe (CommandLine containing 'IMAGENAME eq ekrn.exe') and findstr.exe. Security Event ID 4688 for tasklist.exe with the /FI IMAGENAME filter argument visible in command-line audit.
Test 5Linux PID File Mutex Guardrail
Expected signal: Linux auditd SYSCALL records: open()/creat() syscall on /var/run/test_guardrail_df00tech.pid (type=SYSCALL, syscall=open or openat). Syslog entries showing bash process activity. If MDE for Linux is deployed: DeviceFileEvents row with FileName=test_guardrail_df00tech.pid, FolderPath=/var/run/, InitiatingProcessFileName=bash.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1480 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Execution Guardrails

What is T1480 Execution Guardrails?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1480

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (2)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

What is T1480 Execution Guardrails?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1480

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (2)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox