Detect Environmental Keying in Splunk
Adversaries may environmentally key payloads to constrain execution to a specific target by deriving cryptographic decryption keys from target-specific values such as volume serial numbers, machine GUIDs, hostnames, domain membership, or DPAPI-bound credentials. Because the decryption key is never transmitted and is derived solely from the victim environment, the payload cannot be analyzed in sandboxes or reversed without access to the exact target system. Real-world examples include APT41 using DPAPI to bind payloads to specific user accounts and machines, PowerPunch using volume serial numbers to generate XOR keys, InvisiMole using DPAPI to prevent decryption outside the compromised host, ROKRAT requiring a specific victim hostname to decrypt strings, and the Ninja implant storing payloads encrypted with keys derived from drive serial numbers.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1480 Execution Guardrails
- Sub-technique
- T1480.001 Environmental Keying
- Canonical reference
- https://attack.mitre.org/techniques/T1480/001/
SPL Detection Query
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
(EventCode=1 OR EventCode=13 OR EventCode=4688 OR EventCode=4657)
| eval lowerImage=lower(coalesce(Image, NewProcessName, ""))
| eval lowerCmd=lower(coalesce(CommandLine, ProcessCommandLine, ""))
| eval lowerTarget=lower(coalesce(TargetObject, ObjectName, ""))
| eval is_suspicious_caller=if(
match(lowerImage, "(wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe|certutil\.exe)"),
1, 0)
| eval is_wmi_hw_fingerprint=if(
(EventCode=1 OR EventCode=4688) AND
match(lowerCmd, "(win32_diskdrive|win32_logicaldisk|win32_volume|serialnumber|volumeserialnumber|win32_computersystemproduct|uuid|identifyingnumber)") AND
(is_suspicious_caller=1 OR match(lowerImage, "(powershell\.exe|pwsh\.exe|wmic\.exe)")),
1, 0)
| eval is_wmic_uuid=if(
(EventCode=1 OR EventCode=4688) AND
match(lowerImage, "wmic\.exe") AND
match(lowerCmd, "(bios|baseboard|csproduct|computersystemproduct|uuid|serialnumber|identifyingnumber)"),
1, 0)
| eval is_registry_machineid=if(
(EventCode=13 OR EventCode=4657) AND
match(lowerTarget, "(software\\\\microsoft\\\\cryptography.*machineguid|software\\\\microsoft\\\\windows nt\\\\currentversion.*(productid|digitalproductid))") AND
NOT match(lowerImage, "(svchost\.exe|wmiprvse\.exe|lsass\.exe|searchindexer\.exe|msmpeng\.exe|sgrmbroker\.exe|spoolsv\.exe|services\.exe|runtimebroker\.exe|taskhostw\.exe)"),
1, 0)
| eval is_dpapi_ps=if(
(EventCode=1 OR EventCode=4688) AND
match(lowerImage, "(powershell\.exe|pwsh\.exe)") AND
match(lowerCmd, "(cryptprotectdata|cryptunprotectdata|protecteddata|system\.security\.cryptography\.protecteddata|unprotect\(|\[dpapi\])"),
1, 0)
| where is_wmi_hw_fingerprint=1 OR is_wmic_uuid=1 OR is_registry_machineid=1 OR is_dpapi_ps=1
| eval DetectionMethod=case(
is_dpapi_ps=1, "DPAPI_PowerShell_Keying",
is_registry_machineid=1, "Registry_MachineID_Queried",
is_wmic_uuid=1, "WMIC_UUID_Serial_Enum",
is_wmi_hw_fingerprint=1, "WMI_Hardware_Serial_Query",
true(), "Unknown")
| eval SuspicionScore=is_wmi_hw_fingerprint + is_wmic_uuid + is_registry_machineid + is_dpapi_ps
| table _time, host, User, lowerImage, lowerCmd, ParentImage, ParentCommandLine, lowerTarget, DetectionMethod, SuspicionScore
| rename lowerImage as Image, lowerCmd as CommandLine, lowerTarget as RegistryTarget
| sort - _timeDetects environmental keying precursor behaviors using Sysmon Event IDs 1 (Process Create) and 13 (Registry Value Set) plus Security Event IDs 4688 and 4657. Evaluates four detection branches: WMI hardware serial number queries from suspicious caller processes, WMIC UUID/serial enumeration, registry reads of MachineGuid and ProductId by non-system processes, and DPAPI-related PowerShell commands. A SuspicionScore field aggregates how many branches fired simultaneously — a score of 2+ from a single process is highly suspicious and suggests active key derivation for an environmentally keyed payload.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Software licensing systems that read MachineGuid or volume serial numbers to generate per-seat license keys
- Hardware inventory tools (SCCM, Lansweeper, Tanium) enumerating WMI hardware serial numbers and UUIDs during scheduled inventory scans
- Endpoint telemetry and crash reporting agents that use machine identifiers for device correlation
- Encryption and backup software using DPAPI to bind key material to the current machine or user account
- IT provisioning scripts reading machine GUIDs to assign unique device names or register endpoints in directory services
Other platforms for T1480.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Volume Serial Number Query via WMIC (PowerPunch/Ninja Pattern)
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'logicaldisk' and 'VolumeSerialNumber'. Security Event ID 4688 (if command line auditing enabled) with ProcessCommandLine showing the full query. WMI activity log in Microsoft-Windows-WMI-Activity/Operational.
- Test 2Machine GUID Registry Read via PowerShell (Environmental Key Seed Collection)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'HKLM' and 'MachineGuid'. Sysmon Event ID 13 (RegistryValueSet) or equivalent registry read event in Microsoft-Windows-Security-Auditing if object access auditing is enabled. PowerShell ScriptBlock Log Event ID 4104 showing the full script.
- Test 3DPAPI Encrypt and Decrypt Simulation (APT41/InvisiMole Pattern)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'ProtectedData', 'Protect', and 'Unprotect'. Sysmon Event ID 7 (ImageLoad): dpapi.dll and crypt32.dll loaded by powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the full ProtectedData usage. Microsoft-Windows-Crypto-DPAPI/Operational Event IDs 12288 and 12290 for protect/unprotect operations.
- Test 4Multi-Identifier Environmental Fingerprinting (Combined Key Material Collection)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_LogicalDisk', 'VolumeSerialNumber', 'MachineGuid', and 'Win32_ComputerSystem'. PowerShell ScriptBlock Log Event ID 4104 with full multi-identifier collection script. Registry read events for MachineGuid. WMI activity events for both WMI object queries.
References (10)
- https://attack.mitre.org/techniques/T1480/001/
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf
- https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf
- https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices
- https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf
- https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js
- https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata
- https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.protecteddata
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1480.001/T1480.001.md
Unlock Pro Content
Get the full detection package for T1480.001 including response playbook, investigation guide, and atomic red team tests.