T1480.001

Environmental Keying

Adversaries may environmentally key payloads to constrain execution to a specific target by deriving cryptographic decryption keys from target-specific values such as volume serial numbers, machine GUIDs, hostnames, domain membership, or DPAPI-bound credentials. Because the decryption key is never transmitted and is derived solely from the victim environment, the payload cannot be analyzed in sandboxes or reversed without access to the exact target system. Real-world examples include APT41 using DPAPI to bind payloads to specific user accounts and machines, PowerPunch using volume serial numbers to generate XOR keys, InvisiMole using DPAPI to prevent decryption outside the compromised host, ROKRAT requiring a specific victim hostname to decrypt strings, and the Ninja implant storing payloads encrypted with keys derived from drive serial numbers.

Microsoft Sentinel / Defender

kusto

// T1480.001 — Environmental Keying
// Detects hardware fingerprinting behaviors (WMI serial queries, MachineGuid reads, DPAPI abuse)
// that are characteristic of payload key derivation before environmentally-keyed execution.
let SuspiciousCallers = dynamic([
    "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe",
    "rundll32.exe", "msiexec.exe", "wmic.exe", "certutil.exe"
]);
let HwFingerprintTerms = dynamic([
    "Win32_DiskDrive", "Win32_LogicalDisk", "Win32_Volume",
    "SerialNumber", "VolumeSerialNumber", "GetVolumeInformation",
    "Win32_ComputerSystemProduct", "UUID", "IdentifyingNumber"
]);
// Branch 1: WMI or WMIC queries for hardware serial numbers from suspicious or script-host processes
let WmiHardwareFingerprint = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (SuspiciousCallers)
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-WmiObject", "Get-CimInstance", "gwmi", "gcim", "wmic"))
| where ProcessCommandLine has_any (HwFingerprintTerms)
| extend DetectionMethod = "WMI_Hardware_Serial_Query"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionMethod;
// Branch 2: Registry reads of MachineGuid or ProductId by non-system processes
// (used to derive unique per-machine decryption keys)
let RegistryMachineIdRead = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
    "SOFTWARE\\Microsoft\\Cryptography",
    "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
  )
| where RegistryValueName in~ ("MachineGuid", "ProductId", "InstallDate", "DigitalProductId")
| where ActionType =~ "RegistryValueQueried"
| where InitiatingProcessFileName !in~ (
    "svchost.exe", "WmiPrvSE.exe", "lsass.exe", "SearchIndexer.exe",
    "MsMpEng.exe", "SgrmBroker.exe", "spoolsv.exe", "services.exe",
    "RuntimeBroker.exe", "taskhostw.exe"
  )
| extend DetectionMethod = "Registry_MachineID_Queried"
| project Timestamp, DeviceName,
          AccountName = InitiatingProcessAccountName,
          FileName = InitiatingProcessFileName,
          ProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessFileName = InitiatingProcessParentFileName,
          InitiatingProcessCommandLine = InitiatingProcessParentCommandLine,
          DetectionMethod;
// Branch 3: DPAPI usage via PowerShell — APT41/InvisiMole pattern
// where payload is bound to specific machine/user using Windows DPAPI
let DpapiPowerShell = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "CryptProtectData", "CryptUnprotectData", "ProtectedData",
    "System.Security.Cryptography.ProtectedData",
    "Unprotect(", "[dpapi]", "DPAPI"
  )
| extend DetectionMethod = "DPAPI_PowerShell_Keying"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionMethod;
// Branch 4: wmic.exe querying BIOS, baseboard, or computersystem UUIDs
let WmicUuidQuery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "wmic.exe"
| where ProcessCommandLine has_any (
    "bios", "baseboard", "csproduct", "computersystemproduct",
    "uuid", "serialnumber", "identifyingnumber"
  )
| extend DetectionMethod = "WMIC_UUID_Serial_Enum"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionMethod;
union WmiHardwareFingerprint, RegistryMachineIdRead, DpapiPowerShell, WmicUuidQuery
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Access Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

Software licensing and activation systems that read MachineGuid or volume serial numbers to generate per-seat license keys (e.g., Adobe, Microsoft Office, AutoCAD)
Hardware inventory and asset management tools (SCCM hardware inventory, Lansweeper, Tanium, Qualys) that enumerate WMI hardware properties including serial numbers and UUIDs
Telemetry and diagnostics agents that read machine identifiers to correlate crash reports or usage data with specific devices
Backup software and encryption tools (BitLocker, VeraCrypt) that use machine-specific identifiers for key escrow or binding
IT deployment scripts that use machine GUIDs for unique endpoint identification in device registration workflows

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
(EventCode=1 OR EventCode=13 OR EventCode=4688 OR EventCode=4657)
| eval lowerImage=lower(coalesce(Image, NewProcessName, ""))
| eval lowerCmd=lower(coalesce(CommandLine, ProcessCommandLine, ""))
| eval lowerTarget=lower(coalesce(TargetObject, ObjectName, ""))
| eval is_suspicious_caller=if(
    match(lowerImage, "(wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe|certutil\.exe)"),
    1, 0)
| eval is_wmi_hw_fingerprint=if(
    (EventCode=1 OR EventCode=4688) AND
    match(lowerCmd, "(win32_diskdrive|win32_logicaldisk|win32_volume|serialnumber|volumeserialnumber|win32_computersystemproduct|uuid|identifyingnumber)") AND
    (is_suspicious_caller=1 OR match(lowerImage, "(powershell\.exe|pwsh\.exe|wmic\.exe)")),
    1, 0)
| eval is_wmic_uuid=if(
    (EventCode=1 OR EventCode=4688) AND
    match(lowerImage, "wmic\.exe") AND
    match(lowerCmd, "(bios|baseboard|csproduct|computersystemproduct|uuid|serialnumber|identifyingnumber)"),
    1, 0)
| eval is_registry_machineid=if(
    (EventCode=13 OR EventCode=4657) AND
    match(lowerTarget, "(software\\\\microsoft\\\\cryptography.*machineguid|software\\\\microsoft\\\\windows nt\\\\currentversion.*(productid|digitalproductid))") AND
    NOT match(lowerImage, "(svchost\.exe|wmiprvse\.exe|lsass\.exe|searchindexer\.exe|msmpeng\.exe|sgrmbroker\.exe|spoolsv\.exe|services\.exe|runtimebroker\.exe|taskhostw\.exe)"),
    1, 0)
| eval is_dpapi_ps=if(
    (EventCode=1 OR EventCode=4688) AND
    match(lowerImage, "(powershell\.exe|pwsh\.exe)") AND
    match(lowerCmd, "(cryptprotectdata|cryptunprotectdata|protecteddata|system\.security\.cryptography\.protecteddata|unprotect\(|\[dpapi\])"),
    1, 0)
| where is_wmi_hw_fingerprint=1 OR is_wmic_uuid=1 OR is_registry_machineid=1 OR is_dpapi_ps=1
| eval DetectionMethod=case(
    is_dpapi_ps=1,           "DPAPI_PowerShell_Keying",
    is_registry_machineid=1, "Registry_MachineID_Queried",
    is_wmic_uuid=1,          "WMIC_UUID_Serial_Enum",
    is_wmi_hw_fingerprint=1, "WMI_Hardware_Serial_Query",
    true(),                  "Unknown")
| eval SuspicionScore=is_wmi_hw_fingerprint + is_wmic_uuid + is_registry_machineid + is_dpapi_ps
| table _time, host, User, lowerImage, lowerCmd, ParentImage, ParentCommandLine, lowerTarget, DetectionMethod, SuspicionScore
| rename lowerImage as Image, lowerCmd as CommandLine, lowerTarget as RegistryTarget
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Access Command: Command Execution Sysmon Event ID 1 Sysmon Event ID 13 Windows Security Event ID 4688 Windows Security Event ID 4657

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Software licensing systems that read MachineGuid or volume serial numbers to generate per-seat license keys
Hardware inventory tools (SCCM, Lansweeper, Tanium) enumerating WMI hardware serial numbers and UUIDs during scheduled inventory scans
Endpoint telemetry and crash reporting agents that use machine identifiers for device correlation
Encryption and backup software using DPAPI to bind key material to the current machine or user account
IT provisioning scripts reading machine GUIDs to assign unique device names or register endpoints in directory services

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and
    (
      (process.name in~ ("wscript.exe","cscript.exe","mshta.exe","regsvr32.exe","rundll32.exe","msiexec.exe","certutil.exe","wmic.exe") and
       (process.args : ("Win32_DiskDrive","Win32_LogicalDisk","Win32_Volume","SerialNumber","VolumeSerialNumber","Win32_ComputerSystemProduct","UUID","IdentifyingNumber")))
      or
      (process.name in~ ("powershell.exe","pwsh.exe") and
       process.args : ("Get-WmiObject","Get-CimInstance","gwmi","gcim") and
       process.args : ("Win32_DiskDrive","Win32_LogicalDisk","SerialNumber","Win32_ComputerSystemProduct","UUID"))
      or
      (process.name =~ "wmic.exe" and
       process.args : ("bios","baseboard","csproduct","computersystemproduct","uuid","serialnumber","identifyingnumber"))
      or
      (process.name in~ ("powershell.exe","pwsh.exe") and
       process.args : ("CryptProtectData","CryptUnprotectData","ProtectedData","System.Security.Cryptography.ProtectedData","Unprotect(","[dpapi]","DPAPI"))
    )
  ]
or
any where event.category == "registry" and
  event.type == "access" and
  registry.path : ("*\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid","*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductId","*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DigitalProductId") and
  not process.name in~ ("svchost.exe","WmiPrvSE.exe","lsass.exe","SearchIndexer.exe","MsMpEng.exe","SgrmBroker.exe","spoolsv.exe","services.exe","RuntimeBroker.exe","taskhostw.exe")

high severity medium confidence

Data Sources

Elastic Endpoint Windows Event Logs via Winlogbeat Sysmon via Filebeat

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* winlogbeat-*

False Positives

Legitimate software inventory or asset management tools (e.g. Lansweeper, SCCM) querying hardware serials via WMI
IT operations scripts using PowerShell Get-WmiObject for hardware auditing
Microsoft 365 or antivirus products reading MachineGuid for licensing or telemetry

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username,
  sourceip,
  QIDNAME(qid) AS EventName,
  "Image" AS ProcessImage,
  "CommandLine" AS ProcessCommandLine,
  "TargetObject" AS RegistryTarget,
  CASE
    WHEN LOWER("CommandLine") MATCHES '(win32_diskdrive|win32_logicaldisk|win32_volume|serialnumber|volumeserialnumber|win32_computersystemproduct|uuid|identifyingnumber)'
     AND LOWER("Image") MATCHES '(wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|wmic\.exe|powershell\.exe|pwsh\.exe)'
    THEN 'WMI_Hardware_Serial_Query'
    WHEN LOWER("Image") MATCHES 'wmic\.exe'
     AND LOWER("CommandLine") MATCHES '(bios|baseboard|csproduct|uuid|serialnumber|identifyingnumber)'
    THEN 'WMIC_UUID_Serial_Enum'
    WHEN LOWER("TargetObject") MATCHES '(microsoft\\\\cryptography.*machineguid|windows nt\\\\currentversion.*(productid|digitalproductid))'
     AND NOT LOWER("Image") MATCHES '(svchost\.exe|wmiprvse\.exe|lsass\.exe|searchindexer\.exe|msmpeng\.exe)'
    THEN 'Registry_MachineID_Queried'
    WHEN LOWER("Image") MATCHES '(powershell\.exe|pwsh\.exe)'
     AND LOWER("CommandLine") MATCHES '(cryptprotectdata|cryptunprotectdata|protecteddata|system\.security\.cryptography|\[dpapi\])'
    THEN 'DPAPI_PowerShell_Keying'
    ELSE 'Unknown'
  END AS DetectionMethod
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 15)
  AND starttime > NOW() - 86400000
  AND (
    (
      LOWER("CommandLine") MATCHES '(win32_diskdrive|win32_logicaldisk|serialnumber|win32_computersystemproduct|uuid|identifyingnumber)'
      AND LOWER("Image") MATCHES '(wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|wmic\.exe|powershell\.exe|pwsh\.exe|certutil\.exe)'
    )
    OR (
      LOWER("Image") MATCHES 'wmic\.exe'
      AND LOWER("CommandLine") MATCHES '(bios|baseboard|csproduct|uuid|serialnumber|identifyingnumber)'
    )
    OR (
      LOWER("TargetObject") MATCHES '(microsoft\\\\cryptography|windows nt\\\\currentversion)'
      AND LOWER("TargetObject") MATCHES '(machineguid|productid|digitalproductid)'
      AND NOT LOWER("Image") MATCHES '(svchost\.exe|wmiprvse\.exe|lsass\.exe|searchindexer\.exe|msmpeng\.exe|sgrmbroker\.exe|spoolsv\.exe|services\.exe|runtimebroker\.exe|taskhostw\.exe)'
    )
    OR (
      LOWER("Image") MATCHES '(powershell\.exe|pwsh\.exe)'
      AND LOWER("CommandLine") MATCHES '(cryptprotectdata|cryptunprotectdata|protecteddata|system\.security\.cryptography\.protecteddata|\[dpapi\])'
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Windows Security Event Log Sysmon Operational Log QRadar WinCollect agent

Required Tables

events

False Positives

Hardware inventory platforms such as Lansweeper or SCCM querying WMI for asset tracking
License enforcement software reading MachineGuid for machine-bound licensing
PowerShell DSC or configuration management scripts using DPAPI for credential storage

Sumo Logic CSE

sql

_sourceCategory="windows*" (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| where EventID in ("1","13","4688","4657")
| eval lowerImage = toLowerCase(coalesce(Image, NewProcessName, ""))
| eval lowerCmd = toLowerCase(coalesce(CommandLine, ProcessCommandLine, ""))
| eval lowerTarget = toLowerCase(coalesce(TargetObject, ObjectName, ""))
| eval is_wmi_hw = if(
    EventID in ("1","4688") and
    (
      lowerImage matches "(wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|wmic\.exe|certutil\.exe|powershell\.exe|pwsh\.exe)"
    ) and
    (
      lowerCmd matches "(win32_diskdrive|win32_logicaldisk|win32_volume|serialnumber|volumeserialnumber|win32_computersystemproduct|uuid|identifyingnumber)"
    ),
    1, 0)
| eval is_wmic_uuid = if(
    EventID in ("1","4688") and
    lowerImage matches "wmic\.exe" and
    lowerCmd matches "(bios|baseboard|csproduct|computersystemproduct|uuid|serialnumber|identifyingnumber)",
    1, 0)
| eval is_registry_machineid = if(
    EventID in ("13","4657") and
    (
      lowerTarget matches ".*microsoft.cryptography.*machineguid.*" or
      lowerTarget matches ".*windows nt.currentversion.*(productid|digitalproductid).*"
    ) and not (
      lowerImage matches "(svchost\.exe|wmiprvse\.exe|lsass\.exe|searchindexer\.exe|msmpeng\.exe|sgrmbroker\.exe|spoolsv\.exe|services\.exe|runtimebroker\.exe|taskhostw\.exe)"
    ),
    1, 0)
| eval is_dpapi_ps = if(
    EventID in ("1","4688") and
    lowerImage matches "(powershell\.exe|pwsh\.exe)" and
    lowerCmd matches "(cryptprotectdata|cryptunprotectdata|protecteddata|system\.security\.cryptography\.protecteddata|unprotect\(|\[dpapi\])",
    1, 0)
| where is_wmi_hw=1 or is_wmic_uuid=1 or is_registry_machineid=1 or is_dpapi_ps=1
| eval DetectionMethod = if(is_dpapi_ps=1, "DPAPI_PowerShell_Keying",
    if(is_registry_machineid=1, "Registry_MachineID_Queried",
    if(is_wmic_uuid=1, "WMIC_UUID_Serial_Enum",
    if(is_wmi_hw=1, "WMI_Hardware_Serial_Query", "Unknown"))))
| eval SuspicionScore = is_wmi_hw + is_wmic_uuid + is_registry_machineid + is_dpapi_ps
| fields _messageTime, _sourceHost, lowerImage, lowerCmd, lowerTarget, DetectionMethod, SuspicionScore
| rename lowerImage as Image, lowerCmd as CommandLine, lowerTarget as RegistryTarget
| sort by _messageTime desc

high severity medium confidence

Data Sources

Windows Event Logs (Sysmon Operational, Security) Sumo Logic Installed Collector with Windows Event Source

Required Tables

windows event log source category

False Positives

Enterprise software deployment tools querying hardware serials for license binding
Windows Update or telemetry services reading MachineGuid during update cycles
Custom IT admin scripts using DPAPI for secure credential storage in automated pipelines

Google Chronicle / SecOps

yaral

rule t1480_001_environmental_keying {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1480.001 Environmental Keying — hardware fingerprinting via WMI serial queries, registry MachineGuid reads, DPAPI PowerShell abuse, and wmic UUID enumeration used for payload key derivation."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1480.001"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2026-04-13"

  events:
    (
      // Branch 1: WMI hardware serial query via suspicious caller or PowerShell
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.principal.process.file.full_path, `(?i)(wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe|certutil\.exe|wmic\.exe|powershell\.exe|pwsh\.exe)$`)
      )
      and re.regex($e1.target.process.command_line, `(?i)(Win32_DiskDrive|Win32_LogicalDisk|Win32_Volume|SerialNumber|VolumeSerialNumber|Win32_ComputerSystemProduct|UUID|IdentifyingNumber)`)
    )
    or
    (
      // Branch 2: wmic UUID/serial enumeration
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.target.process.file.full_path, `(?i)wmic\.exe$`)
      and re.regex($e1.target.process.command_line, `(?i)(bios|baseboard|csproduct|computersystemproduct|uuid|serialnumber|identifyingnumber)`)
    )
    or
    (
      // Branch 3: Registry MachineGuid/ProductId read by non-system process
      $e1.metadata.event_type = "REGISTRY_READ"
      and re.regex($e1.target.registry.registry_key, `(?i)(Microsoft\\Cryptography.*MachineGuid|Windows NT\\CurrentVersion.*(ProductId|DigitalProductId))`)
      and not re.regex($e1.principal.process.file.full_path, `(?i)(svchost\.exe|WmiPrvSE\.exe|lsass\.exe|SearchIndexer\.exe|MsMpEng\.exe|SgrmBroker\.exe|spoolsv\.exe|services\.exe|RuntimeBroker\.exe|taskhostw\.exe)$`)
    )
    or
    (
      // Branch 4: DPAPI PowerShell keying
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.target.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`)
      and re.regex($e1.target.process.command_line, `(?i)(CryptProtectData|CryptUnprotectData|ProtectedData|System\.Security\.Cryptography\.ProtectedData|Unprotect\(|\[dpapi\]|DPAPI)`)
    )

  condition:
    $e1

high severity medium confidence

Data Sources

Google Chronicle UDM Windows endpoint telemetry forwarded to Chronicle Sysmon or EDR process and registry events

Required Tables

UDM events (PROCESS_LAUNCH, REGISTRY_READ)

False Positives

Asset management or inventory tools performing WMI hardware queries for CMDB population
Software licensing systems that bind licenses to hardware serials via MachineGuid reads
PowerShell runbooks in automation pipelines using ProtectedData for credential management

CrowdStrike LogScale (CQL)

cql

// T1480.001 Environmental Keying — CrowdStrike LogScale (Falcon)
// Branch 1: WMI hardware fingerprint from suspicious callers
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe|certutil\.exe|wmic\.exe|powershell\.exe|pwsh\.exe)$/
| CommandLine = /(?i)(Win32_DiskDrive|Win32_LogicalDisk|Win32_Volume|SerialNumber|VolumeSerialNumber|Win32_ComputerSystemProduct|UUID|IdentifyingNumber)/
| DetectionMethod := "WMI_Hardware_Serial_Query"

// Union: WMIC UUID/serial enumeration
| union [
    #event_simpleName=ProcessRollup2
    | ImageFileName = /(?i)wmic\.exe$/
    | CommandLine = /(?i)(bios|baseboard|csproduct|computersystemproduct|uuid|serialnumber|identifyingnumber)/
    | DetectionMethod := "WMIC_UUID_Serial_Enum"
  ]

// Union: Registry MachineGuid/ProductId read by non-system process
| union [
    #event_simpleName=RegQueryValue
    | RegObjectName = /(?i)(Microsoft\\Cryptography|Windows NT\\CurrentVersion)/
    | RegValueName = /(?i)(MachineGuid|ProductId|DigitalProductId)/
    | ImageFileName != /(?i)(svchost\.exe|WmiPrvSE\.exe|lsass\.exe|SearchIndexer\.exe|MsMpEng\.exe|SgrmBroker\.exe|spoolsv\.exe|services\.exe|RuntimeBroker\.exe|taskhostw\.exe)$/
    | DetectionMethod := "Registry_MachineID_Queried"
  ]

// Union: DPAPI PowerShell keying
| union [
    #event_simpleName=ProcessRollup2
    | ImageFileName = /(?i)(powershell\.exe|pwsh\.exe)$/
    | CommandLine = /(?i)(CryptProtectData|CryptUnprotectData|ProtectedData|System\.Security\.Cryptography\.ProtectedData|Unprotect\(|\[dpapi\]|DPAPI)/
    | DetectionMethod := "DPAPI_PowerShell_Keying"
  ]

| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, ParentCommandLine, RegObjectName, RegValueName, DetectionMethod])
| sort(timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR Falcon ProcessRollup2 events Falcon RegQueryValue events

Required Tables

ProcessRollup2 RegQueryValue

False Positives

Falcon sensor itself or third-party EDR tools reading MachineGuid for host identification
PowerShell-based configuration management (Ansible, DSC) using ProtectedData for secrets
Hardware inventory or compliance tools (e.g. Tanium, BigFix) performing WMI serial enumeration

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1480.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Environmental Keying

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections