T1480.001 Microsoft Sentinel · KQL

Detect Environmental Keying in Microsoft Sentinel

Adversaries may environmentally key payloads to constrain execution to a specific target by deriving cryptographic decryption keys from target-specific values such as volume serial numbers, machine GUIDs, hostnames, domain membership, or DPAPI-bound credentials. Because the decryption key is never transmitted and is derived solely from the victim environment, the payload cannot be analyzed in sandboxes or reversed without access to the exact target system. Real-world examples include APT41 using DPAPI to bind payloads to specific user accounts and machines, PowerPunch using volume serial numbers to generate XOR keys, InvisiMole using DPAPI to prevent decryption outside the compromised host, ROKRAT requiring a specific victim hostname to decrypt strings, and the Ninja implant storing payloads encrypted with keys derived from drive serial numbers.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1480 Execution Guardrails
Sub-technique
T1480.001 Environmental Keying
Canonical reference
https://attack.mitre.org/techniques/T1480/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1480.001 — Environmental Keying
// Detects hardware fingerprinting behaviors (WMI serial queries, MachineGuid reads, DPAPI abuse)
// that are characteristic of payload key derivation before environmentally-keyed execution.
let SuspiciousCallers = dynamic([
    "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe",
    "rundll32.exe", "msiexec.exe", "wmic.exe", "certutil.exe"
]);
let HwFingerprintTerms = dynamic([
    "Win32_DiskDrive", "Win32_LogicalDisk", "Win32_Volume",
    "SerialNumber", "VolumeSerialNumber", "GetVolumeInformation",
    "Win32_ComputerSystemProduct", "UUID", "IdentifyingNumber"
]);
// Branch 1: WMI or WMIC queries for hardware serial numbers from suspicious or script-host processes
let WmiHardwareFingerprint = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (SuspiciousCallers)
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-WmiObject", "Get-CimInstance", "gwmi", "gcim", "wmic"))
| where ProcessCommandLine has_any (HwFingerprintTerms)
| extend DetectionMethod = "WMI_Hardware_Serial_Query"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionMethod;
// Branch 2: Registry reads of MachineGuid or ProductId by non-system processes
// (used to derive unique per-machine decryption keys)
let RegistryMachineIdRead = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
    "SOFTWARE\\Microsoft\\Cryptography",
    "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
  )
| where RegistryValueName in~ ("MachineGuid", "ProductId", "InstallDate", "DigitalProductId")
| where ActionType =~ "RegistryValueQueried"
| where InitiatingProcessFileName !in~ (
    "svchost.exe", "WmiPrvSE.exe", "lsass.exe", "SearchIndexer.exe",
    "MsMpEng.exe", "SgrmBroker.exe", "spoolsv.exe", "services.exe",
    "RuntimeBroker.exe", "taskhostw.exe"
  )
| extend DetectionMethod = "Registry_MachineID_Queried"
| project Timestamp, DeviceName,
          AccountName = InitiatingProcessAccountName,
          FileName = InitiatingProcessFileName,
          ProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessFileName = InitiatingProcessParentFileName,
          InitiatingProcessCommandLine = InitiatingProcessParentCommandLine,
          DetectionMethod;
// Branch 3: DPAPI usage via PowerShell — APT41/InvisiMole pattern
// where payload is bound to specific machine/user using Windows DPAPI
let DpapiPowerShell = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "CryptProtectData", "CryptUnprotectData", "ProtectedData",
    "System.Security.Cryptography.ProtectedData",
    "Unprotect(", "[dpapi]", "DPAPI"
  )
| extend DetectionMethod = "DPAPI_PowerShell_Keying"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionMethod;
// Branch 4: wmic.exe querying BIOS, baseboard, or computersystem UUIDs
let WmicUuidQuery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "wmic.exe"
| where ProcessCommandLine has_any (
    "bios", "baseboard", "csproduct", "computersystemproduct",
    "uuid", "serialnumber", "identifyingnumber"
  )
| extend DetectionMethod = "WMIC_UUID_Serial_Enum"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionMethod;
union WmiHardwareFingerprint, RegistryMachineIdRead, DpapiPowerShell, WmicUuidQuery
| sort by Timestamp desc
medium severity medium confidence

Detects behavioral precursors to environmental keying: hardware fingerprinting via WMI/WMIC (volume serial number, UUID, BIOS serial queries), registry reads of machine-unique identifiers (MachineGuid, ProductId), and DPAPI usage from PowerShell. Environmental keying payloads cannot be detected by inspecting the encrypted blob alone — detection must focus on the key derivation behaviors that precede decryption. Four branches cover the most common environmental keying patterns seen in the wild: WMI hardware fingerprinting (Ninja, PowerPunch), registry machine ID reads, DPAPI-bound decryption (APT41, InvisiMole), and WMIC UUID enumeration. Confidence is medium because these fingerprinting behaviors also occur in legitimate software inventory, licensing, and telemetry workflows.

Data Sources

Process: Process CreationWindows Registry: Windows Registry Key AccessCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceRegistryEvents

False Positives & Tuning

  • Software licensing and activation systems that read MachineGuid or volume serial numbers to generate per-seat license keys (e.g., Adobe, Microsoft Office, AutoCAD)
  • Hardware inventory and asset management tools (SCCM hardware inventory, Lansweeper, Tanium, Qualys) that enumerate WMI hardware properties including serial numbers and UUIDs
  • Telemetry and diagnostics agents that read machine identifiers to correlate crash reports or usage data with specific devices
  • Backup software and encryption tools (BitLocker, VeraCrypt) that use machine-specific identifiers for key escrow or binding
  • IT deployment scripts that use machine GUIDs for unique endpoint identification in device registration workflows
Download portable Sigma rule (.yml)

Other platforms for T1480.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Volume Serial Number Query via WMIC (PowerPunch/Ninja Pattern)

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'logicaldisk' and 'VolumeSerialNumber'. Security Event ID 4688 (if command line auditing enabled) with ProcessCommandLine showing the full query. WMI activity log in Microsoft-Windows-WMI-Activity/Operational.

  2. Test 2Machine GUID Registry Read via PowerShell (Environmental Key Seed Collection)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'HKLM' and 'MachineGuid'. Sysmon Event ID 13 (RegistryValueSet) or equivalent registry read event in Microsoft-Windows-Security-Auditing if object access auditing is enabled. PowerShell ScriptBlock Log Event ID 4104 showing the full script.

  3. Test 3DPAPI Encrypt and Decrypt Simulation (APT41/InvisiMole Pattern)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'ProtectedData', 'Protect', and 'Unprotect'. Sysmon Event ID 7 (ImageLoad): dpapi.dll and crypt32.dll loaded by powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the full ProtectedData usage. Microsoft-Windows-Crypto-DPAPI/Operational Event IDs 12288 and 12290 for protect/unprotect operations.

  4. Test 4Multi-Identifier Environmental Fingerprinting (Combined Key Material Collection)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_LogicalDisk', 'VolumeSerialNumber', 'MachineGuid', and 'Win32_ComputerSystem'. PowerShell ScriptBlock Log Event ID 4104 with full multi-identifier collection script. Registry read events for MachineGuid. WMI activity events for both WMI object queries.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1480.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1480Execution Guardrails

Related Sub-techniques

T1480.002Mutual Exclusion

Related Techniques

T1480Execution GuardrailsT1027Obfuscated Files or InformationT1027.002Software PackingT1497Virtualization/Sandbox EvasionT1553.002Code SigningT1140Deobfuscate/Decode Files or InformationT1082System Information DiscoveryT1012Query RegistryT1059.001PowerShellT1055Process Injection

Same Tactic: Defense Evasion

Popular Detections