T1480 IBM QRadar · QRadar

Detect Execution Guardrails in IBM QRadar

Adversaries may use execution guardrails to constrain execution or actions based on adversary-supplied and environment-specific conditions expected to be present on the target. Guardrails ensure a payload only executes against an intended target, reducing collateral damage from an adversary's campaign. Values used as guardrails include specific volume serial numbers, hostnames, Active Directory domain membership, IP addresses, the presence of specific files or processes, and specific command-line arguments. This technique is distinct from Virtualization/Sandbox Evasion (T1497): sandbox evasion avoids any analysis environment, while guardrails require a specific target environment to be confirmed before execution proceeds. Real-world examples include DEADEYE verifying volume serial number and hostname, Exbyte checking for a configuration file before completing execution, TONESHELL checking for ESET security processes (ekrn.exe, egui.exe) before injecting into waitfor.exe, BPFDoor using a PID mutex file at /var/run/haldrund.pid, RansomHub terminating if the machine appears on an allowlist, and Small Sieve requiring the literal keyword 'Platypus' as a command-line argument.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1480 Execution Guardrails
Canonical reference
https://attack.mitre.org/techniques/T1480/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  "deviceName" AS hostname,
  username,
  QIDNAME(qid) AS event_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process_name,
  LOGSOURCENAME(logsourceid) AS log_source,
  CASE
    WHEN LOWER("Command") ILIKE '%volumeserialnumber%'
      OR LOWER("Command") ILIKE '%win32_logicaldisk%'
      OR LOWER("Command") ILIKE '%fsutil volume%'
      OR LOWER("Command") ILIKE '%vol c:%'
      OR LOWER("Command") ILIKE '%vol d:%' THEN 'VolumeSerial'
    WHEN LOWER("Command") ILIKE '%win32_computersystem%'
      OR LOWER("Command") ILIKE '%dnsdomain%'
      OR LOWER("Command") ILIKE '%userdnsdomain%'
      OR LOWER("Command") ILIKE '%logonserver%'
      OR LOWER("Command") ILIKE '%nltest%domain_trusts%'
      OR LOWER("Command") ILIKE '%nltest%dclist%' THEN 'DomainOrHostname'
    WHEN LOWER("Command") ILIKE '%win32_networkadapterconfiguration%'
      OR LOWER("Command") ILIKE '%macaddress%'
      OR LOWER("Command") ILIKE '%defaultipgateway%' THEN 'NetworkIdentity'
    WHEN LOWER("Command") ILIKE '%if exist%'
      OR LOWER("Command") ILIKE '%if not exist%'
      OR LOWER("Command") ILIKE '%test-path%'
      OR LOWER("Command") ILIKE '%haldrund.pid%'
      OR LOWER("Command") ILIKE '%irc.pid%' THEN 'FilePresence'
    WHEN LOWER("Command") ILIKE '%ekrn.exe%'
      OR LOWER("Command") ILIKE '%egui.exe%'
      OR LOWER("Command") ILIKE '%tasklist%/fi%'
      OR LOWER("Command") ILIKE '%get-process%-name%' THEN 'ProcessPresence'
    ELSE 'Unknown'
  END AS guardrail_type,
  CASE
    WHEN LOWER("Command") ILIKE '%volumeserialnumber%'
      OR LOWER("Command") ILIKE '%win32_logicaldisk%'
      OR LOWER("Command") ILIKE '%fsutil volume%' THEN 3
    WHEN LOWER("Command") ILIKE '%ekrn.exe%'
      OR LOWER("Command") ILIKE '%egui.exe%' THEN 3
    WHEN LOWER("Command") ILIKE '%win32_computersystem%'
      OR LOWER("Command") ILIKE '%dnsdomain%'
      OR LOWER("Command") ILIKE '%if exist%'
      OR LOWER("Command") ILIKE '%test-path%'
      OR LOWER("Command") ILIKE '%get-process%-name%' THEN 2
    ELSE 1
  END AS risk_score
FROM events
WHERE
  starttime > NOW() - 86400000
  AND (
    LOWER("Parent Process Name") ILIKE '%wscript.exe'
    OR LOWER("Parent Process Name") ILIKE '%cscript.exe'
    OR LOWER("Parent Process Name") ILIKE '%mshta.exe'
    OR LOWER("Parent Process Name") ILIKE '%rundll32.exe'
    OR LOWER("Parent Process Name") ILIKE '%regsvr32.exe'
    OR LOWER("Parent Process Name") ILIKE '%msiexec.exe'
    OR LOWER("Parent Process Name") ILIKE '%installutil.exe'
    OR LOWER("Parent Process Name") ILIKE '%cmstp.exe'
    OR LOWER("Parent Process Name") ILIKE '%powershell.exe'
    OR LOWER("Parent Process Name") ILIKE '%pwsh.exe'
  )
  AND (
    LOWER("Command") ILIKE '%volumeserialnumber%'
    OR LOWER("Command") ILIKE '%win32_logicaldisk%'
    OR LOWER("Command") ILIKE '%fsutil volume%'
    OR LOWER("Command") ILIKE '%win32_computersystem%'
    OR LOWER("Command") ILIKE '%dnsdomain%'
    OR LOWER("Command") ILIKE '%userdnsdomain%'
    OR LOWER("Command") ILIKE '%logonserver%'
    OR LOWER("Command") ILIKE '%nltest%domain_trusts%'
    OR LOWER("Command") ILIKE '%nltest%dclist%'
    OR LOWER("Command") ILIKE '%win32_networkadapterconfiguration%'
    OR LOWER("Command") ILIKE '%macaddress%'
    OR LOWER("Command") ILIKE '%defaultipgateway%'
    OR LOWER("Command") ILIKE '%if exist%'
    OR LOWER("Command") ILIKE '%test-path%'
    OR LOWER("Command") ILIKE '%haldrund.pid%'
    OR LOWER("Command") ILIKE '%irc.pid%'
    OR LOWER("Command") ILIKE '%ekrn.exe%'
    OR LOWER("Command") ILIKE '%egui.exe%'
    OR LOWER("Command") ILIKE '%tasklist%/fi%'
    OR LOWER("Command") ILIKE '%get-process%-name%'
  )
ORDER BY risk_score DESC, starttime DESC
LIMIT 1000
high severity medium confidence

AQL query for QRadar targeting process creation events (typically sourced from Windows Security Event 4688 with command line auditing or Sysmon Event 1 via a DSM) where the parent process is a known LOLBin or script interpreter and the child command line contains environmental fingerprinting patterns consistent with T1480 Execution Guardrails. Field names 'Command', 'Process Name', and 'Parent Process Name' follow the QRadar Windows Security DSM normalisation — adjust to match your local DSM property mappings if divergent. Risk scoring and guardrail type classification mirror the Sentinel and Splunk baselines for cross-platform consistency.

Data Sources

QRadar Windows Security Events DSM (Event ID 4688 with process command line auditing)QRadar Sysmon DSM (Event ID 1)Microsoft Windows Security Event Log via WinCollect or syslog

Required Tables

events

False Positives & Tuning

  • Enterprise patch management agents (WSUS, SCCM, Ivanti) that invoke PowerShell or msiexec as parent processes and spawn child scripts querying Win32_LogicalDisk for target disk space or Win32_ComputerSystem for OS version before applying patches
  • IT automation frameworks (Ansible WinRM, Puppet, Chef) executing scripts via cscript or wscript that verify domain membership or enumerate network adapter configuration as pre-flight checks before applying configuration baselines
  • Legitimate software license managers (FlexNet, Sentinel RMS) that spawn child processes from installutil or rundll32 to check volume serial numbers or hostnames for node-locked license enforcement
Download portable Sigma rule (.yml)

Other platforms for T1480

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Volume Serial Number Enumeration via WMIC

    Expected signal: Sysmon Event ID 1: Process Create with Image containing wmic.exe, CommandLine containing 'VolumeSerialNumber' and 'Win32_LogicalDisk'. Security Event ID 4688 (if command-line auditing enabled). WMI Activity Event ID 5861 in Microsoft-Windows-WMI-Activity/Operational showing the Win32_LogicalDisk query. Defender MDE: DeviceProcessEvents row with FileName=wmic.exe.

  2. Test 2Hostname and Domain Membership Check via PowerShell WMI

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_ComputerSystem'. PowerShell ScriptBlock Log Event ID 4104 showing the WMI query in clear text. WMI Activity Event ID 5861 for the Win32_ComputerSystem query with property names Name, Domain, DNSDomain.

  3. Test 3File Presence Guardrail Check via CMD

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'if exist'. Sysmon Event ID 11: File Create for the %TEMP%\df00tech-guard.cfg file. Security Event ID 4688 showing the full command with conditional logic.

  4. Test 4Security Product Process Check via Tasklist

    Expected signal: Sysmon Event ID 1: Two process creation events — cmd.exe spawning tasklist.exe (CommandLine containing 'IMAGENAME eq ekrn.exe') and findstr.exe. Security Event ID 4688 for tasklist.exe with the /FI IMAGENAME filter argument visible in command-line audit.

  5. Test 5Linux PID File Mutex Guardrail

    Expected signal: Linux auditd SYSCALL records: open()/creat() syscall on /var/run/test_guardrail_df00tech.pid (type=SYSCALL, syscall=open or openat). Syslog entries showing bash process activity. If MDE for Linux is deployed: DeviceFileEvents row with FileName=test_guardrail_df00tech.pid, FolderPath=/var/run/, InitiatingProcessFileName=bash.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1480 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1480.001Environmental KeyingT1480.002Mutual ExclusionT1497Virtualization/Sandbox EvasionT1497.001System ChecksT1082System Information DiscoveryT1016System Network Configuration DiscoveryT1057Process DiscoveryT1083File and Directory DiscoveryT1033System Owner/User DiscoveryT1018Remote System Discovery

Same Tactic: Defense Evasion

Popular Detections