Detect Execution Guardrails in Google Chronicle
Adversaries may use execution guardrails to constrain execution or actions based on adversary-supplied and environment-specific conditions expected to be present on the target. Guardrails ensure a payload only executes against an intended target, reducing collateral damage from an adversary's campaign. Values used as guardrails include specific volume serial numbers, hostnames, Active Directory domain membership, IP addresses, the presence of specific files or processes, and specific command-line arguments. This technique is distinct from Virtualization/Sandbox Evasion (T1497): sandbox evasion avoids any analysis environment, while guardrails require a specific target environment to be confirmed before execution proceeds. Real-world examples include DEADEYE verifying volume serial number and hostname, Exbyte checking for a configuration file before completing execution, TONESHELL checking for ESET security processes (ekrn.exe, egui.exe) before injecting into waitfor.exe, BPFDoor using a PID mutex file at /var/run/haldrund.pid, RansomHub terminating if the machine appears on an allowlist, and Small Sieve requiring the literal keyword 'Platypus' as a command-line argument.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1480 Execution Guardrails
- Canonical reference
- https://attack.mitre.org/techniques/T1480/
YARA-L Detection Query
rule t1480_execution_guardrails_env_fingerprinting {
meta:
author = "Detection Engineering"
description = "Detects processes spawned by LOLBins or script hosts performing environmental fingerprinting consistent with T1480 Execution Guardrails — volume serial checks, domain/hostname enumeration, network adapter queries, file/process presence validation"
severity = "HIGH"
tactic = "Defense Evasion"
technique = "T1480"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1480/"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.process.file.full_path != ""
$e.target.process.command_line != ""
// Parent must be a LOLBin or script interpreter
re.regex($e.principal.process.file.full_path,
`(?i)(wscript|cscript|mshta|rundll32|regsvr32|msiexec|installutil|cmstp|powershell|pwsh)\.exe$`)
// Child command line must contain at least one guardrail fingerprinting pattern
(
re.regex($e.target.process.command_line,
`(?i)(volumeserialnumber|win32_logicaldisk|vol\s+[c-z]:|fsutil\s+volume)`) or
re.regex($e.target.process.command_line,
`(?i)(win32_computersystem|dnsdomain|userdnsdomain|logonserver|nltest.*(domain_trusts|dclist))`) or
re.regex($e.target.process.command_line,
`(?i)(win32_networkadapterconfiguration|macaddress|defaultipgateway|win32_networkadapter)`) or
re.regex($e.target.process.command_line,
`(?i)(if\s+(not\s+)?exist|test-path|haldrund\.pid|irc\.pid)`) or
re.regex($e.target.process.command_line,
`(?i)(ekrn\.exe|egui\.exe|tasklist\s+/fi|get-process\s+-name)`)
)
condition:
$e
}Chronicle YARA-L 2.0 rule for T1480 Execution Guardrails triggering on PROCESS_LAUNCH UDM events where the principal (parent) process path matches a LOLBin or script interpreter and the target (spawned) process command line contains environmental fingerprinting patterns. Five guardrail categories covered: volume serial number queries, domain/hostname WMI enumeration, network adapter MAC/gateway checks, cmd.exe or PowerShell file presence tests, and process presence checks including ESET security binary names used by TONESHELL. Requires Chronicle ingestion of Windows endpoint telemetry with process lineage and command line fields populated in the UDM principal/target model.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise software deployment pipelines (Chocolatey, Winget, Scoop) where PowerShell is the parent and child scripts perform pre-flight checks including Test-Path or Win32_ComputerSystem queries to verify installation prerequisites before committing package installation
- RMM agents (ConnectWise Automate, N-able, Kaseya) that routinely execute script-host-spawned diagnostics checking domain trust relationships via nltest or enumerating network adapters via WMI for managed device inventory
- Anti-virus or EDR deployment scripts executed under msiexec that explicitly check for the presence of competing security products — including ESET binaries ekrn.exe and egui.exe — to prevent compatibility conflicts during installation or upgrade
Other platforms for T1480
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Volume Serial Number Enumeration via WMIC
Expected signal: Sysmon Event ID 1: Process Create with Image containing wmic.exe, CommandLine containing 'VolumeSerialNumber' and 'Win32_LogicalDisk'. Security Event ID 4688 (if command-line auditing enabled). WMI Activity Event ID 5861 in Microsoft-Windows-WMI-Activity/Operational showing the Win32_LogicalDisk query. Defender MDE: DeviceProcessEvents row with FileName=wmic.exe.
- Test 2Hostname and Domain Membership Check via PowerShell WMI
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_ComputerSystem'. PowerShell ScriptBlock Log Event ID 4104 showing the WMI query in clear text. WMI Activity Event ID 5861 for the Win32_ComputerSystem query with property names Name, Domain, DNSDomain.
- Test 3File Presence Guardrail Check via CMD
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'if exist'. Sysmon Event ID 11: File Create for the %TEMP%\df00tech-guard.cfg file. Security Event ID 4688 showing the full command with conditional logic.
- Test 4Security Product Process Check via Tasklist
Expected signal: Sysmon Event ID 1: Two process creation events — cmd.exe spawning tasklist.exe (CommandLine containing 'IMAGENAME eq ekrn.exe') and findstr.exe. Security Event ID 4688 for tasklist.exe with the /FI IMAGENAME filter argument visible in command-line audit.
- Test 5Linux PID File Mutex Guardrail
Expected signal: Linux auditd SYSCALL records: open()/creat() syscall on /var/run/test_guardrail_df00tech.pid (type=SYSCALL, syscall=open or openat). Syslog entries showing bash process activity. If MDE for Linux is deployed: DeviceFileEvents row with FileName=test_guardrail_df00tech.pid, FolderPath=/var/run/, InitiatingProcessFileName=bash.
References (9)
- https://attack.mitre.org/techniques/T1480/
- https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
- https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
- https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
- https://www.mandiant.com/resources/blog/apt41-us-state-tax-departments
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1480/T1480.md
- https://github.com/SigmaHQ/sigma/search?q=T1480
- https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page
Unlock Pro Content
Get the full detection package for T1480 including response playbook, investigation guide, and atomic red team tests.