Detect Execution Guardrails in Elastic Security
Adversaries may use execution guardrails to constrain execution or actions based on adversary-supplied and environment-specific conditions expected to be present on the target. Guardrails ensure a payload only executes against an intended target, reducing collateral damage from an adversary's campaign. Values used as guardrails include specific volume serial numbers, hostnames, Active Directory domain membership, IP addresses, the presence of specific files or processes, and specific command-line arguments. This technique is distinct from Virtualization/Sandbox Evasion (T1497): sandbox evasion avoids any analysis environment, while guardrails require a specific target environment to be confirmed before execution proceeds. Real-world examples include DEADEYE verifying volume serial number and hostname, Exbyte checking for a configuration file before completing execution, TONESHELL checking for ESET security processes (ekrn.exe, egui.exe) before injecting into waitfor.exe, BPFDoor using a PID mutex file at /var/run/haldrund.pid, RansomHub terminating if the machine appears on an allowlist, and Small Sieve requiring the literal keyword 'Platypus' as a command-line argument.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1480 Execution Guardrails
- Canonical reference
- https://attack.mitre.org/techniques/T1480/
Elastic Detection Query
process where event.type == "start" and
process.parent.name : ("wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe",
"regsvr32.exe", "msiexec.exe", "installutil.exe", "cmstp.exe",
"powershell.exe", "pwsh.exe") and
process.command_line : (
"*VolumeSerialNumber*", "*Win32_LogicalDisk*", "*vol c:*", "*vol d:*", "*vol e:*", "*fsutil volume*",
"*Win32_ComputerSystem*", "*DNSDomain*", "*userdnsdomain*", "*logonserver*",
"*nltest*/domain_trusts*", "*nltest*/dclist*",
"*Win32_NetworkAdapterConfiguration*", "*MACAddress*", "*DefaultIPGateway*", "*Win32_NetworkAdapter*",
"*if exist*", "*if not exist*", "*Test-Path*", "*haldrund.pid*", "*irc.pid*",
"*ekrn.exe*", "*egui.exe*", "*tasklist*/FI*", "*Get-Process*-Name*"
)Detects child processes of LOLBins and script hosts whose command lines contain environmental fingerprinting patterns consistent with T1480 Execution Guardrails. Covers volume serial number queries via WMI or fsutil, domain and hostname enumeration via WMI or nltest, network adapter MAC and gateway checks, file presence tests using cmd.exe conditionals or PowerShell Test-Path, and process presence checks including ESET-specific binary names used by TONESHELL-style guardrails. Requires Elastic Endpoint or Sysmon via Winlogbeat with process command line collection enabled.
Data Sources
Required Tables
False Positives & Tuning
- SCCM or Ansible inventory agents launched via WMI providers querying Win32_ComputerSystem or Win32_LogicalDisk for hardware asset discovery — these will match domain/hostname and volume serial patterns when a script host is the initiating process
- Software license enforcement routines in commercial installers (e.g., AutoCAD, Adobe) that use msiexec or installutil as parent and spawn scripts checking volume serial numbers or hostnames for node-locked license validation
- Remote monitoring and management tools (ConnectWise Automate, N-able, Datto RMM) that execute PowerShell or cscript diagnostics checking domain trust relationships via nltest or enumerating network adapters via WMI for asset inventory
Other platforms for T1480
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Volume Serial Number Enumeration via WMIC
Expected signal: Sysmon Event ID 1: Process Create with Image containing wmic.exe, CommandLine containing 'VolumeSerialNumber' and 'Win32_LogicalDisk'. Security Event ID 4688 (if command-line auditing enabled). WMI Activity Event ID 5861 in Microsoft-Windows-WMI-Activity/Operational showing the Win32_LogicalDisk query. Defender MDE: DeviceProcessEvents row with FileName=wmic.exe.
- Test 2Hostname and Domain Membership Check via PowerShell WMI
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_ComputerSystem'. PowerShell ScriptBlock Log Event ID 4104 showing the WMI query in clear text. WMI Activity Event ID 5861 for the Win32_ComputerSystem query with property names Name, Domain, DNSDomain.
- Test 3File Presence Guardrail Check via CMD
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'if exist'. Sysmon Event ID 11: File Create for the %TEMP%\df00tech-guard.cfg file. Security Event ID 4688 showing the full command with conditional logic.
- Test 4Security Product Process Check via Tasklist
Expected signal: Sysmon Event ID 1: Two process creation events — cmd.exe spawning tasklist.exe (CommandLine containing 'IMAGENAME eq ekrn.exe') and findstr.exe. Security Event ID 4688 for tasklist.exe with the /FI IMAGENAME filter argument visible in command-line audit.
- Test 5Linux PID File Mutex Guardrail
Expected signal: Linux auditd SYSCALL records: open()/creat() syscall on /var/run/test_guardrail_df00tech.pid (type=SYSCALL, syscall=open or openat). Syslog entries showing bash process activity. If MDE for Linux is deployed: DeviceFileEvents row with FileName=test_guardrail_df00tech.pid, FolderPath=/var/run/, InitiatingProcessFileName=bash.
References (9)
- https://attack.mitre.org/techniques/T1480/
- https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
- https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
- https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
- https://www.mandiant.com/resources/blog/apt41-us-state-tax-departments
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1480/T1480.md
- https://github.com/SigmaHQ/sigma/search?q=T1480
- https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page
Unlock Pro Content
Get the full detection package for T1480 including response playbook, investigation guide, and atomic red team tests.