T1480 Splunk · SPL

Detect Execution Guardrails in Splunk

Adversaries may use execution guardrails to constrain execution or actions based on adversary-supplied and environment-specific conditions expected to be present on the target. Guardrails ensure a payload only executes against an intended target, reducing collateral damage from an adversary's campaign. Values used as guardrails include specific volume serial numbers, hostnames, Active Directory domain membership, IP addresses, the presence of specific files or processes, and specific command-line arguments. This technique is distinct from Virtualization/Sandbox Evasion (T1497): sandbox evasion avoids any analysis environment, while guardrails require a specific target environment to be confirmed before execution proceeds. Real-world examples include DEADEYE verifying volume serial number and hostname, Exbyte checking for a configuration file before completing execution, TONESHELL checking for ESET security processes (ekrn.exe, egui.exe) before injecting into waitfor.exe, BPFDoor using a PID mutex file at /var/run/haldrund.pid, RansomHub terminating if the machine appears on an allowlist, and Small Sieve requiring the literal keyword 'Platypus' as a command-line argument.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1480 Execution Guardrails
Canonical reference
https://attack.mitre.org/techniques/T1480/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval cmd=lower(CommandLine), parent=lower(ParentImage)
| eval IsSuspiciousParent=if(match(parent, "(wscript|cscript|mshta|rundll32|regsvr32|msiexec|installutil|cmstp|powershell|pwsh)\\.exe$"), 1, 0)
| eval VolumeSerialCheck=if(match(cmd, "(volumeserialnumber|win32_logicaldisk|vol\\s+[c-z]:|fsutil\\s+volume)"), 1, 0)
| eval DomainHostnameCheck=if(match(cmd, "(win32_computersystem|dnsdomain|userdnsdomain|logonserver|nltest\\s+/(domain_trusts|dclist))"), 1, 0)
| eval NetworkFingerprintCheck=if(match(cmd, "(win32_networkadapterconfiguration|macaddress|defaultipgateway)"), 1, 0)
| eval FilePresenceCheck=if(match(cmd, "(if\\s+(not\\s+)?exist|test-path|haldrund\\.pid|irc\\.pid)"), 1, 0)
| eval ProcessPresenceCheck=if(match(cmd, "(ekrn\\.exe|egui\\.exe|tasklist\\s+/fi|get-process\\s+-name)"), 1, 0)
| eval GuardrailScore=VolumeSerialCheck + DomainHostnameCheck + NetworkFingerprintCheck + FilePresenceCheck + ProcessPresenceCheck
| where GuardrailScore > 0 AND IsSuspiciousParent=1
| eval GuardrailType=case(
    VolumeSerialCheck=1, "VolumeSerial",
    DomainHostnameCheck=1, "DomainOrHostname",
    NetworkFingerprintCheck=1, "NetworkIdentity",
    FilePresenceCheck=1, "FilePresence",
    ProcessPresenceCheck=1, "ProcessPresence",
    true(), "Unknown")
| eval RiskScore=case(
    VolumeSerialCheck=1, 3,
    ProcessPresenceCheck=1 AND match(cmd, "(ekrn\\.exe|egui\\.exe)"), 3,
    DomainHostnameCheck=1 OR FilePresenceCheck=1 OR ProcessPresenceCheck=1, 2,
    true(), 1)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        GuardrailType, GuardrailScore, RiskScore
| sort - RiskScore, - _time
medium severity medium confidence

Detects execution guardrail patterns using Sysmon Event ID 1 (Process Creation). Evaluates command lines of child processes launched from LOLBins and script hosts against five guardrail categories: volume serial number queries, domain/hostname checks, network identity enumeration, file presence tests, and process presence checks. A composite GuardrailScore (sum of matched categories) and RiskScore (highest-risk category) help prioritize alerts. Volume serial checks and security-product process checks (ESET ekrn.exe/egui.exe) score highest at 3.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate deployment scripts checking domain membership or hostname before applying configuration
  • Monitoring and inventory agents enumerating network adapter properties or system info for asset tracking
  • IT automation tools verifying target environment before running installation packages
  • Developer scripts checking for environment type (dev/staging/prod) via hostname or domain
  • Backup software querying volume serial numbers for source identification when launched via a management console
Download portable Sigma rule (.yml)

Other platforms for T1480

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Volume Serial Number Enumeration via WMIC

    Expected signal: Sysmon Event ID 1: Process Create with Image containing wmic.exe, CommandLine containing 'VolumeSerialNumber' and 'Win32_LogicalDisk'. Security Event ID 4688 (if command-line auditing enabled). WMI Activity Event ID 5861 in Microsoft-Windows-WMI-Activity/Operational showing the Win32_LogicalDisk query. Defender MDE: DeviceProcessEvents row with FileName=wmic.exe.

  2. Test 2Hostname and Domain Membership Check via PowerShell WMI

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_ComputerSystem'. PowerShell ScriptBlock Log Event ID 4104 showing the WMI query in clear text. WMI Activity Event ID 5861 for the Win32_ComputerSystem query with property names Name, Domain, DNSDomain.

  3. Test 3File Presence Guardrail Check via CMD

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'if exist'. Sysmon Event ID 11: File Create for the %TEMP%\df00tech-guard.cfg file. Security Event ID 4688 showing the full command with conditional logic.

  4. Test 4Security Product Process Check via Tasklist

    Expected signal: Sysmon Event ID 1: Two process creation events — cmd.exe spawning tasklist.exe (CommandLine containing 'IMAGENAME eq ekrn.exe') and findstr.exe. Security Event ID 4688 for tasklist.exe with the /FI IMAGENAME filter argument visible in command-line audit.

  5. Test 5Linux PID File Mutex Guardrail

    Expected signal: Linux auditd SYSCALL records: open()/creat() syscall on /var/run/test_guardrail_df00tech.pid (type=SYSCALL, syscall=open or openat). Syslog entries showing bash process activity. If MDE for Linux is deployed: DeviceFileEvents row with FileName=test_guardrail_df00tech.pid, FolderPath=/var/run/, InitiatingProcessFileName=bash.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1480 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1480.001Environmental KeyingT1480.002Mutual ExclusionT1497Virtualization/Sandbox EvasionT1497.001System ChecksT1082System Information DiscoveryT1016System Network Configuration DiscoveryT1057Process DiscoveryT1083File and Directory DiscoveryT1033System Owner/User DiscoveryT1018Remote System Discovery

Same Tactic: Defense Evasion

Popular Detections