Detect Execution Guardrails in CrowdStrike LogScale
Adversaries may use execution guardrails to constrain execution or actions based on adversary-supplied and environment-specific conditions expected to be present on the target. Guardrails ensure a payload only executes against an intended target, reducing collateral damage from an adversary's campaign. Values used as guardrails include specific volume serial numbers, hostnames, Active Directory domain membership, IP addresses, the presence of specific files or processes, and specific command-line arguments. This technique is distinct from Virtualization/Sandbox Evasion (T1497): sandbox evasion avoids any analysis environment, while guardrails require a specific target environment to be confirmed before execution proceeds. Real-world examples include DEADEYE verifying volume serial number and hostname, Exbyte checking for a configuration file before completing execution, TONESHELL checking for ESET security processes (ekrn.exe, egui.exe) before injecting into waitfor.exe, BPFDoor using a PID mutex file at /var/run/haldrund.pid, RansomHub terminating if the machine appears on an allowlist, and Small Sieve requiring the literal keyword 'Platypus' as a command-line argument.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1480 Execution Guardrails
- Canonical reference
- https://attack.mitre.org/techniques/T1480/
LogScale Detection Query
#event_simpleName = "ProcessRollup2"
| ParentBaseFileName = /(?i)^(wscript|cscript|mshta|rundll32|regsvr32|msiexec|installutil|cmstp|powershell|pwsh)\.exe$/
| CommandLine = /(?i)(volumeserialnumber|win32_logicaldisk|fsutil\s+volume|vol\s+[c-z]:|win32_computersystem|dnsdomain|userdnsdomain|logonserver|nltest.*(domain_trusts|dclist)|win32_networkadapterconfiguration|macaddress|defaultipgateway|win32_networkadapter|if\s+(not\s+)?exist|test-path|haldrund\.pid|irc\.pid|ekrn\.exe|egui\.exe|tasklist.*\/fi|get-process\s+-name)/
| VolumeSerial := if(CommandLine = /(?i)(volumeserialnumber|win32_logicaldisk|fsutil\s+volume|vol\s+[c-z]:)/, 1, 0)
| DomainHostname := if(CommandLine = /(?i)(win32_computersystem|dnsdomain|userdnsdomain|logonserver|nltest.*(domain_trusts|dclist))/, 1, 0)
| NetworkFingerprint := if(CommandLine = /(?i)(win32_networkadapterconfiguration|macaddress|defaultipgateway)/, 1, 0)
| FilePresence := if(CommandLine = /(?i)(if\s+(not\s+)?exist|test-path|haldrund\.pid|irc\.pid)/, 1, 0)
| ProcessPresence := if(CommandLine = /(?i)(ekrn\.exe|egui\.exe|tasklist.*\/fi|get-process\s+-name)/, 1, 0)
| EsetCheck := if(CommandLine = /(?i)(ekrn\.exe|egui\.exe)/, 1, 0)
| RiskScore := if(VolumeSerial = 1, 3, if(EsetCheck = 1, 3, if(DomainHostname = 1 OR FilePresence = 1 OR ProcessPresence = 1, 2, 1)))
| GuardrailType := case {
VolumeSerial = 1 | "VolumeSerial" ;
DomainHostname = 1 | "DomainOrHostname" ;
NetworkFingerprint = 1 | "NetworkIdentity" ;
FilePresence = 1 | "FilePresence" ;
ProcessPresence = 1 | "ProcessPresence" ;
* | "Unknown"
}
| select([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, GuardrailType, RiskScore])
| sort(RiskScore, order=desc)CrowdStrike Falcon LogScale (CQL) query for T1480 Execution Guardrails filtering ProcessRollup2 events where the ParentBaseFileName matches a LOLBin or script interpreter and the CommandLine contains environmental fingerprinting patterns consistent with targeted malware performing target validation before payload execution. Covers all five guardrail categories with risk scoring matching the Sentinel and Splunk baselines. ESET process checks (ekrn.exe, egui.exe) receive elevated risk score of 3 consistent with TONESHELL TTPs. Requires Falcon sensor with full process telemetry and command line capture configured; ProcessRollup2 events must be present in the LogScale repository.
Data Sources
Required Tables
False Positives & Tuning
- Falcon-managed endpoints running CrowdStrike RTR (Real Time Response) PowerShell scripts that enumerate WMI classes or check domain membership and network configuration for scoping incident response actions — RTR parent processes may appear as powershell.exe spawning diagnostic commands
- Software packaging tools (InstallShield, NSIS, Advanced Installer) that spawn script hosts or rundll32 during installation to fingerprint the target system's volume serial number or OS domain for activation, licensing, or feature-gating purposes
- Endpoint management agents (Tanium, BigFix, Ivanti Neurons) where the management client acts as the initiating process and spawns diagnostic scripts that check for running security processes or enumerate network adapter configuration as part of compliance posture assessment workflows
Other platforms for T1480
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Volume Serial Number Enumeration via WMIC
Expected signal: Sysmon Event ID 1: Process Create with Image containing wmic.exe, CommandLine containing 'VolumeSerialNumber' and 'Win32_LogicalDisk'. Security Event ID 4688 (if command-line auditing enabled). WMI Activity Event ID 5861 in Microsoft-Windows-WMI-Activity/Operational showing the Win32_LogicalDisk query. Defender MDE: DeviceProcessEvents row with FileName=wmic.exe.
- Test 2Hostname and Domain Membership Check via PowerShell WMI
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_ComputerSystem'. PowerShell ScriptBlock Log Event ID 4104 showing the WMI query in clear text. WMI Activity Event ID 5861 for the Win32_ComputerSystem query with property names Name, Domain, DNSDomain.
- Test 3File Presence Guardrail Check via CMD
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'if exist'. Sysmon Event ID 11: File Create for the %TEMP%\df00tech-guard.cfg file. Security Event ID 4688 showing the full command with conditional logic.
- Test 4Security Product Process Check via Tasklist
Expected signal: Sysmon Event ID 1: Two process creation events — cmd.exe spawning tasklist.exe (CommandLine containing 'IMAGENAME eq ekrn.exe') and findstr.exe. Security Event ID 4688 for tasklist.exe with the /FI IMAGENAME filter argument visible in command-line audit.
- Test 5Linux PID File Mutex Guardrail
Expected signal: Linux auditd SYSCALL records: open()/creat() syscall on /var/run/test_guardrail_df00tech.pid (type=SYSCALL, syscall=open or openat). Syslog entries showing bash process activity. If MDE for Linux is deployed: DeviceFileEvents row with FileName=test_guardrail_df00tech.pid, FolderPath=/var/run/, InitiatingProcessFileName=bash.
References (9)
- https://attack.mitre.org/techniques/T1480/
- https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
- https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
- https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
- https://www.mandiant.com/resources/blog/apt41-us-state-tax-departments
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1480/T1480.md
- https://github.com/SigmaHQ/sigma/search?q=T1480
- https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page
Unlock Pro Content
Get the full detection package for T1480 including response playbook, investigation guide, and atomic red team tests.