T1480

Execution Guardrails

Adversaries may use execution guardrails to constrain execution or actions based on adversary-supplied and environment-specific conditions expected to be present on the target. Guardrails ensure a payload only executes against an intended target, reducing collateral damage from an adversary's campaign. Values used as guardrails include specific volume serial numbers, hostnames, Active Directory domain membership, IP addresses, the presence of specific files or processes, and specific command-line arguments. This technique is distinct from Virtualization/Sandbox Evasion (T1497): sandbox evasion avoids any analysis environment, while guardrails require a specific target environment to be confirmed before execution proceeds. Real-world examples include DEADEYE verifying volume serial number and hostname, Exbyte checking for a configuration file before completing execution, TONESHELL checking for ESET security processes (ekrn.exe, egui.exe) before injecting into waitfor.exe, BPFDoor using a PID mutex file at /var/run/haldrund.pid, RansomHub terminating if the machine appears on an allowlist, and Small Sieve requiring the literal keyword 'Platypus' as a command-line argument.

Microsoft Sentinel / Defender

kusto

// T1480 Execution Guardrails — Environmental fingerprinting from suspicious execution contexts
// Detects processes performing target-validation checks (volume serial, hostname/domain, network identity,
// file presence, process presence) launched from LOLBin or script host parents.
// These behaviors are consistent with guardrail-enabled malware verifying it is on an intended target.
let ScriptHostsAndLolbins = dynamic([
    "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe",
    "regsvr32.exe", "msiexec.exe", "installutil.exe", "cmstp.exe",
    "powershell.exe", "pwsh.exe"
]);
let VolumeSerialPatterns = dynamic([
    "VolumeSerialNumber", "Win32_LogicalDisk",
    "vol c:", "vol d:", "vol e:", "fsutil volume"
]);
let DomainHostnamePatterns = dynamic([
    "Win32_ComputerSystem", "DNSDomain", "userdnsdomain",
    "logonserver", "nltest /domain_trusts", "nltest /dclist"
]);
let NetworkFingerprintPatterns = dynamic([
    "Win32_NetworkAdapterConfiguration", "MACAddress",
    "DefaultIPGateway", "Win32_NetworkAdapter"
]);
let FilePresencePatterns = dynamic([
    "if exist", "if not exist", "Test-Path",
    "haldrund.pid", "irc.pid"
]);
let ProcessPresencePatterns = dynamic([
    "ekrn.exe", "egui.exe",
    "tasklist /FI", "Get-Process -Name"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (ScriptHostsAndLolbins)
    or (FileName in~ ("wmic.exe", "nltest.exe") and InitiatingProcessFileName in~ (ScriptHostsAndLolbins))
| where ProcessCommandLine has_any (VolumeSerialPatterns)
    or ProcessCommandLine has_any (DomainHostnamePatterns)
    or ProcessCommandLine has_any (NetworkFingerprintPatterns)
    or ProcessCommandLine has_any (FilePresencePatterns)
    or ProcessCommandLine has_any (ProcessPresencePatterns)
| extend GuardrailType = case(
    ProcessCommandLine has_any (VolumeSerialPatterns), "VolumeSerial",
    ProcessCommandLine has_any (DomainHostnamePatterns), "DomainOrHostname",
    ProcessCommandLine has_any (NetworkFingerprintPatterns), "NetworkIdentity",
    ProcessCommandLine has_any (FilePresencePatterns), "FilePresence",
    ProcessCommandLine has_any (ProcessPresencePatterns), "ProcessPresence",
    "Unknown"
)
| extend RiskScore = case(
    GuardrailType == "VolumeSerial", 3,
    GuardrailType == "ProcessPresence" and ProcessCommandLine has_any ("ekrn.exe", "egui.exe"), 3,
    GuardrailType in ("DomainOrHostname", "FilePresence", "ProcessPresence"), 2,
    1
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         GuardrailType, RiskScore
| sort by RiskScore desc, Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate deployment scripts (SCCM, Group Policy) that check domain membership or hostname before applying configuration — typically parent process is svchost.exe or ccmexec.exe, not a LOLBin
Monitoring and inventory agents (Tanium, Qualys, SolarWinds) that enumerate network adapter properties or system info — whitelist by exact parent process name
IT automation tools (PDQ Deploy, Altiris) that verify target environment before running installation packages
Developer environment setup scripts that check for specific environments (dev/staging/prod) using hostname or domain name
Backup software (Veeam, Acronis) that queries volume serial numbers for backup source identification — typically runs as a known service account

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval cmd=lower(CommandLine), parent=lower(ParentImage)
| eval IsSuspiciousParent=if(match(parent, "(wscript|cscript|mshta|rundll32|regsvr32|msiexec|installutil|cmstp|powershell|pwsh)\\.exe$"), 1, 0)
| eval VolumeSerialCheck=if(match(cmd, "(volumeserialnumber|win32_logicaldisk|vol\\s+[c-z]:|fsutil\\s+volume)"), 1, 0)
| eval DomainHostnameCheck=if(match(cmd, "(win32_computersystem|dnsdomain|userdnsdomain|logonserver|nltest\\s+/(domain_trusts|dclist))"), 1, 0)
| eval NetworkFingerprintCheck=if(match(cmd, "(win32_networkadapterconfiguration|macaddress|defaultipgateway)"), 1, 0)
| eval FilePresenceCheck=if(match(cmd, "(if\\s+(not\\s+)?exist|test-path|haldrund\\.pid|irc\\.pid)"), 1, 0)
| eval ProcessPresenceCheck=if(match(cmd, "(ekrn\\.exe|egui\\.exe|tasklist\\s+/fi|get-process\\s+-name)"), 1, 0)
| eval GuardrailScore=VolumeSerialCheck + DomainHostnameCheck + NetworkFingerprintCheck + FilePresenceCheck + ProcessPresenceCheck
| where GuardrailScore > 0 AND IsSuspiciousParent=1
| eval GuardrailType=case(
    VolumeSerialCheck=1, "VolumeSerial",
    DomainHostnameCheck=1, "DomainOrHostname",
    NetworkFingerprintCheck=1, "NetworkIdentity",
    FilePresenceCheck=1, "FilePresence",
    ProcessPresenceCheck=1, "ProcessPresence",
    true(), "Unknown")
| eval RiskScore=case(
    VolumeSerialCheck=1, 3,
    ProcessPresenceCheck=1 AND match(cmd, "(ekrn\\.exe|egui\\.exe)"), 3,
    DomainHostnameCheck=1 OR FilePresenceCheck=1 OR ProcessPresenceCheck=1, 2,
    true(), 1)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        GuardrailType, GuardrailScore, RiskScore
| sort - RiskScore, - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate deployment scripts checking domain membership or hostname before applying configuration
Monitoring and inventory agents enumerating network adapter properties or system info for asset tracking
IT automation tools verifying target environment before running installation packages
Developer scripts checking for environment type (dev/staging/prod) via hostname or domain
Backup software querying volume serial numbers for source identification when launched via a management console

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  "deviceName" AS hostname,
  username,
  QIDNAME(qid) AS event_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process_name,
  LOGSOURCENAME(logsourceid) AS log_source,
  CASE
    WHEN LOWER("Command") ILIKE '%volumeserialnumber%'
      OR LOWER("Command") ILIKE '%win32_logicaldisk%'
      OR LOWER("Command") ILIKE '%fsutil volume%'
      OR LOWER("Command") ILIKE '%vol c:%'
      OR LOWER("Command") ILIKE '%vol d:%' THEN 'VolumeSerial'
    WHEN LOWER("Command") ILIKE '%win32_computersystem%'
      OR LOWER("Command") ILIKE '%dnsdomain%'
      OR LOWER("Command") ILIKE '%userdnsdomain%'
      OR LOWER("Command") ILIKE '%logonserver%'
      OR LOWER("Command") ILIKE '%nltest%domain_trusts%'
      OR LOWER("Command") ILIKE '%nltest%dclist%' THEN 'DomainOrHostname'
    WHEN LOWER("Command") ILIKE '%win32_networkadapterconfiguration%'
      OR LOWER("Command") ILIKE '%macaddress%'
      OR LOWER("Command") ILIKE '%defaultipgateway%' THEN 'NetworkIdentity'
    WHEN LOWER("Command") ILIKE '%if exist%'
      OR LOWER("Command") ILIKE '%if not exist%'
      OR LOWER("Command") ILIKE '%test-path%'
      OR LOWER("Command") ILIKE '%haldrund.pid%'
      OR LOWER("Command") ILIKE '%irc.pid%' THEN 'FilePresence'
    WHEN LOWER("Command") ILIKE '%ekrn.exe%'
      OR LOWER("Command") ILIKE '%egui.exe%'
      OR LOWER("Command") ILIKE '%tasklist%/fi%'
      OR LOWER("Command") ILIKE '%get-process%-name%' THEN 'ProcessPresence'
    ELSE 'Unknown'
  END AS guardrail_type,
  CASE
    WHEN LOWER("Command") ILIKE '%volumeserialnumber%'
      OR LOWER("Command") ILIKE '%win32_logicaldisk%'
      OR LOWER("Command") ILIKE '%fsutil volume%' THEN 3
    WHEN LOWER("Command") ILIKE '%ekrn.exe%'
      OR LOWER("Command") ILIKE '%egui.exe%' THEN 3
    WHEN LOWER("Command") ILIKE '%win32_computersystem%'
      OR LOWER("Command") ILIKE '%dnsdomain%'
      OR LOWER("Command") ILIKE '%if exist%'
      OR LOWER("Command") ILIKE '%test-path%'
      OR LOWER("Command") ILIKE '%get-process%-name%' THEN 2
    ELSE 1
  END AS risk_score
FROM events
WHERE
  starttime > NOW() - 86400000
  AND (
    LOWER("Parent Process Name") ILIKE '%wscript.exe'
    OR LOWER("Parent Process Name") ILIKE '%cscript.exe'
    OR LOWER("Parent Process Name") ILIKE '%mshta.exe'
    OR LOWER("Parent Process Name") ILIKE '%rundll32.exe'
    OR LOWER("Parent Process Name") ILIKE '%regsvr32.exe'
    OR LOWER("Parent Process Name") ILIKE '%msiexec.exe'
    OR LOWER("Parent Process Name") ILIKE '%installutil.exe'
    OR LOWER("Parent Process Name") ILIKE '%cmstp.exe'
    OR LOWER("Parent Process Name") ILIKE '%powershell.exe'
    OR LOWER("Parent Process Name") ILIKE '%pwsh.exe'
  )
  AND (
    LOWER("Command") ILIKE '%volumeserialnumber%'
    OR LOWER("Command") ILIKE '%win32_logicaldisk%'
    OR LOWER("Command") ILIKE '%fsutil volume%'
    OR LOWER("Command") ILIKE '%win32_computersystem%'
    OR LOWER("Command") ILIKE '%dnsdomain%'
    OR LOWER("Command") ILIKE '%userdnsdomain%'
    OR LOWER("Command") ILIKE '%logonserver%'
    OR LOWER("Command") ILIKE '%nltest%domain_trusts%'
    OR LOWER("Command") ILIKE '%nltest%dclist%'
    OR LOWER("Command") ILIKE '%win32_networkadapterconfiguration%'
    OR LOWER("Command") ILIKE '%macaddress%'
    OR LOWER("Command") ILIKE '%defaultipgateway%'
    OR LOWER("Command") ILIKE '%if exist%'
    OR LOWER("Command") ILIKE '%test-path%'
    OR LOWER("Command") ILIKE '%haldrund.pid%'
    OR LOWER("Command") ILIKE '%irc.pid%'
    OR LOWER("Command") ILIKE '%ekrn.exe%'
    OR LOWER("Command") ILIKE '%egui.exe%'
    OR LOWER("Command") ILIKE '%tasklist%/fi%'
    OR LOWER("Command") ILIKE '%get-process%-name%'
  )
ORDER BY risk_score DESC, starttime DESC
LIMIT 1000

high severity medium confidence

Data Sources

QRadar Windows Security Events DSM (Event ID 4688 with process command line auditing) QRadar Sysmon DSM (Event ID 1) Microsoft Windows Security Event Log via WinCollect or syslog

Required Tables

events

False Positives

Enterprise patch management agents (WSUS, SCCM, Ivanti) that invoke PowerShell or msiexec as parent processes and spawn child scripts querying Win32_LogicalDisk for target disk space or Win32_ComputerSystem for OS version before applying patches
IT automation frameworks (Ansible WinRM, Puppet, Chef) executing scripts via cscript or wscript that verify domain membership or enumerate network adapter configuration as pre-flight checks before applying configuration baselines
Legitimate software license managers (FlexNet, Sentinel RMS) that spawn child processes from installutil or rundll32 to check volume serial numbers or hostnames for node-locked license enforcement

Sumo Logic CSE

sql

(_sourceCategory="*windows*sysmon*" OR _sourceCategory="*winlogbeat*" OR _sourceCategory="*wineventlog*")
| where EventID = "1" OR EventCode = "1"
| eval cmd = toLowerCase(CommandLine)
| eval parent = toLowerCase(ParentImage)
| where parent matches "*\\wscript.exe"
  OR parent matches "*\\cscript.exe"
  OR parent matches "*\\mshta.exe"
  OR parent matches "*\\rundll32.exe"
  OR parent matches "*\\regsvr32.exe"
  OR parent matches "*\\msiexec.exe"
  OR parent matches "*\\installutil.exe"
  OR parent matches "*\\cmstp.exe"
  OR parent matches "*\\powershell.exe"
  OR parent matches "*\\pwsh.exe"
| eval VolumeSerialCheck = if(cmd matches "*volumeserialnumber*" OR cmd matches "*win32_logicaldisk*" OR cmd matches "*fsutil volume*" OR cmd matches "*vol c:*" OR cmd matches "*vol d:*", 1, 0)
| eval DomainHostnameCheck = if(cmd matches "*win32_computersystem*" OR cmd matches "*dnsdomain*" OR cmd matches "*userdnsdomain*" OR cmd matches "*logonserver*" OR cmd matches "*nltest*domain_trusts*" OR cmd matches "*nltest*dclist*", 1, 0)
| eval NetworkFingerprintCheck = if(cmd matches "*win32_networkadapterconfiguration*" OR cmd matches "*macaddress*" OR cmd matches "*defaultipgateway*" OR cmd matches "*win32_networkadapter*", 1, 0)
| eval FilePresenceCheck = if(cmd matches "*if exist*" OR cmd matches "*if not exist*" OR cmd matches "*test-path*" OR cmd matches "*haldrund.pid*" OR cmd matches "*irc.pid*", 1, 0)
| eval ProcessPresenceCheck = if(cmd matches "*ekrn.exe*" OR cmd matches "*egui.exe*" OR cmd matches "*tasklist*/fi*" OR cmd matches "*get-process*-name*", 1, 0)
| eval GuardrailScore = VolumeSerialCheck + DomainHostnameCheck + NetworkFingerprintCheck + FilePresenceCheck + ProcessPresenceCheck
| where GuardrailScore > 0
| eval GuardrailType = if(VolumeSerialCheck = 1, "VolumeSerial",
    if(DomainHostnameCheck = 1, "DomainOrHostname",
    if(NetworkFingerprintCheck = 1, "NetworkIdentity",
    if(FilePresenceCheck = 1, "FilePresence",
    if(ProcessPresenceCheck = 1, "ProcessPresence", "Unknown")))))
| eval RiskScore = if(VolumeSerialCheck = 1, 3,
    if(ProcessPresenceCheck = 1 AND (cmd matches "*ekrn.exe*" OR cmd matches "*egui.exe*"), 3,
    if(DomainHostnameCheck = 1 OR FilePresenceCheck = 1 OR ProcessPresenceCheck = 1, 2, 1)))
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, GuardrailType, GuardrailScore, RiskScore
| sort by RiskScore desc, _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Sysmon App (Sysmon Event ID 1) Sumo Logic Windows App (Security Event 4688 with command line auditing) Winlogbeat forwarding to Sumo Logic HTTP Source

Required Tables

Sysmon Event ID 1 — Process Create

False Positives

Group Policy-triggered PowerShell scripts that run at logon or machine startup and use Test-Path or 'if exist' to conditionally apply configuration depending on whether a machine is in a specific OU or has specific software installed
Software deployment orchestrators (PDQ Deploy, ManageEngine Desktop Central) that use msiexec or installutil as parent processes while child scripts verify target OS domain membership or available disk volumes before staging installation packages
Endpoint hardening and CIS benchmark scripts executed via scheduled tasks under wscript or cscript that enumerate running processes including known AV/EDR binaries to determine hardening profile applicability

Google Chronicle / SecOps

yaral

rule t1480_execution_guardrails_env_fingerprinting {
  meta:
    author = "Detection Engineering"
    description = "Detects processes spawned by LOLBins or script hosts performing environmental fingerprinting consistent with T1480 Execution Guardrails — volume serial checks, domain/hostname enumeration, network adapter queries, file/process presence validation"
    severity = "HIGH"
    tactic = "Defense Evasion"
    technique = "T1480"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1480/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path != ""
    $e.target.process.command_line != ""

    // Parent must be a LOLBin or script interpreter
    re.regex($e.principal.process.file.full_path,
      `(?i)(wscript|cscript|mshta|rundll32|regsvr32|msiexec|installutil|cmstp|powershell|pwsh)\.exe$`)

    // Child command line must contain at least one guardrail fingerprinting pattern
    (
      re.regex($e.target.process.command_line,
        `(?i)(volumeserialnumber|win32_logicaldisk|vol\s+[c-z]:|fsutil\s+volume)`) or
      re.regex($e.target.process.command_line,
        `(?i)(win32_computersystem|dnsdomain|userdnsdomain|logonserver|nltest.*(domain_trusts|dclist))`) or
      re.regex($e.target.process.command_line,
        `(?i)(win32_networkadapterconfiguration|macaddress|defaultipgateway|win32_networkadapter)`) or
      re.regex($e.target.process.command_line,
        `(?i)(if\s+(not\s+)?exist|test-path|haldrund\.pid|irc\.pid)`) or
      re.regex($e.target.process.command_line,
        `(?i)(ekrn\.exe|egui\.exe|tasklist\s+/fi|get-process\s+-name)`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM — Windows Endpoint Events (PROCESS_LAUNCH) Google Security Operations SIEM with Mandiant Endpoint or Carbon Black/CrowdStrike ingestion Chronicle Ingestion API with Sysmon XML parser (process create events)

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Enterprise software deployment pipelines (Chocolatey, Winget, Scoop) where PowerShell is the parent and child scripts perform pre-flight checks including Test-Path or Win32_ComputerSystem queries to verify installation prerequisites before committing package installation
RMM agents (ConnectWise Automate, N-able, Kaseya) that routinely execute script-host-spawned diagnostics checking domain trust relationships via nltest or enumerating network adapters via WMI for managed device inventory
Anti-virus or EDR deployment scripts executed under msiexec that explicitly check for the presence of competing security products — including ESET binaries ekrn.exe and egui.exe — to prevent compatibility conflicts during installation or upgrade

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ParentBaseFileName = /(?i)^(wscript|cscript|mshta|rundll32|regsvr32|msiexec|installutil|cmstp|powershell|pwsh)\.exe$/
| CommandLine = /(?i)(volumeserialnumber|win32_logicaldisk|fsutil\s+volume|vol\s+[c-z]:|win32_computersystem|dnsdomain|userdnsdomain|logonserver|nltest.*(domain_trusts|dclist)|win32_networkadapterconfiguration|macaddress|defaultipgateway|win32_networkadapter|if\s+(not\s+)?exist|test-path|haldrund\.pid|irc\.pid|ekrn\.exe|egui\.exe|tasklist.*\/fi|get-process\s+-name)/
| VolumeSerial := if(CommandLine = /(?i)(volumeserialnumber|win32_logicaldisk|fsutil\s+volume|vol\s+[c-z]:)/, 1, 0)
| DomainHostname := if(CommandLine = /(?i)(win32_computersystem|dnsdomain|userdnsdomain|logonserver|nltest.*(domain_trusts|dclist))/, 1, 0)
| NetworkFingerprint := if(CommandLine = /(?i)(win32_networkadapterconfiguration|macaddress|defaultipgateway)/, 1, 0)
| FilePresence := if(CommandLine = /(?i)(if\s+(not\s+)?exist|test-path|haldrund\.pid|irc\.pid)/, 1, 0)
| ProcessPresence := if(CommandLine = /(?i)(ekrn\.exe|egui\.exe|tasklist.*\/fi|get-process\s+-name)/, 1, 0)
| EsetCheck := if(CommandLine = /(?i)(ekrn\.exe|egui\.exe)/, 1, 0)
| RiskScore := if(VolumeSerial = 1, 3, if(EsetCheck = 1, 3, if(DomainHostname = 1 OR FilePresence = 1 OR ProcessPresence = 1, 2, 1)))
| GuardrailType := case {
    VolumeSerial = 1 | "VolumeSerial" ;
    DomainHostname = 1 | "DomainOrHostname" ;
    NetworkFingerprint = 1 | "NetworkIdentity" ;
    FilePresence = 1 | "FilePresence" ;
    ProcessPresence = 1 | "ProcessPresence" ;
    * | "Unknown"
  }
| select([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, GuardrailType, RiskScore])
| sort(RiskScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor — ProcessRollup2 events Falcon LogScale (Humio) ingestion pipeline CrowdStrike Falcon Data Replicator (FDR) feed

Required Tables

ProcessRollup2

False Positives

Falcon-managed endpoints running CrowdStrike RTR (Real Time Response) PowerShell scripts that enumerate WMI classes or check domain membership and network configuration for scoping incident response actions — RTR parent processes may appear as powershell.exe spawning diagnostic commands
Software packaging tools (InstallShield, NSIS, Advanced Installer) that spawn script hosts or rundll32 during installation to fingerprint the target system's volume serial number or OS domain for activation, licensing, or feature-gating purposes
Endpoint management agents (Tanium, BigFix, Ivanti Neurons) where the management client acts as the initiating process and spawns diagnostic scripts that check for running security processes or enumerate network adapter configuration as part of compliance posture assessment workflows

Last updated: 2026-04-13 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1480 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Execution Guardrails

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Same Tactic: Defense Evasion

Popular Detections