Detect Execution Guardrails in Sumo Logic CSE
Adversaries may use execution guardrails to constrain execution or actions based on adversary-supplied and environment-specific conditions expected to be present on the target. Guardrails ensure a payload only executes against an intended target, reducing collateral damage from an adversary's campaign. Values used as guardrails include specific volume serial numbers, hostnames, Active Directory domain membership, IP addresses, the presence of specific files or processes, and specific command-line arguments. This technique is distinct from Virtualization/Sandbox Evasion (T1497): sandbox evasion avoids any analysis environment, while guardrails require a specific target environment to be confirmed before execution proceeds. Real-world examples include DEADEYE verifying volume serial number and hostname, Exbyte checking for a configuration file before completing execution, TONESHELL checking for ESET security processes (ekrn.exe, egui.exe) before injecting into waitfor.exe, BPFDoor using a PID mutex file at /var/run/haldrund.pid, RansomHub terminating if the machine appears on an allowlist, and Small Sieve requiring the literal keyword 'Platypus' as a command-line argument.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1480 Execution Guardrails
- Canonical reference
- https://attack.mitre.org/techniques/T1480/
Sumo Detection Query
(_sourceCategory="*windows*sysmon*" OR _sourceCategory="*winlogbeat*" OR _sourceCategory="*wineventlog*")
| where EventID = "1" OR EventCode = "1"
| eval cmd = toLowerCase(CommandLine)
| eval parent = toLowerCase(ParentImage)
| where parent matches "*\\wscript.exe"
OR parent matches "*\\cscript.exe"
OR parent matches "*\\mshta.exe"
OR parent matches "*\\rundll32.exe"
OR parent matches "*\\regsvr32.exe"
OR parent matches "*\\msiexec.exe"
OR parent matches "*\\installutil.exe"
OR parent matches "*\\cmstp.exe"
OR parent matches "*\\powershell.exe"
OR parent matches "*\\pwsh.exe"
| eval VolumeSerialCheck = if(cmd matches "*volumeserialnumber*" OR cmd matches "*win32_logicaldisk*" OR cmd matches "*fsutil volume*" OR cmd matches "*vol c:*" OR cmd matches "*vol d:*", 1, 0)
| eval DomainHostnameCheck = if(cmd matches "*win32_computersystem*" OR cmd matches "*dnsdomain*" OR cmd matches "*userdnsdomain*" OR cmd matches "*logonserver*" OR cmd matches "*nltest*domain_trusts*" OR cmd matches "*nltest*dclist*", 1, 0)
| eval NetworkFingerprintCheck = if(cmd matches "*win32_networkadapterconfiguration*" OR cmd matches "*macaddress*" OR cmd matches "*defaultipgateway*" OR cmd matches "*win32_networkadapter*", 1, 0)
| eval FilePresenceCheck = if(cmd matches "*if exist*" OR cmd matches "*if not exist*" OR cmd matches "*test-path*" OR cmd matches "*haldrund.pid*" OR cmd matches "*irc.pid*", 1, 0)
| eval ProcessPresenceCheck = if(cmd matches "*ekrn.exe*" OR cmd matches "*egui.exe*" OR cmd matches "*tasklist*/fi*" OR cmd matches "*get-process*-name*", 1, 0)
| eval GuardrailScore = VolumeSerialCheck + DomainHostnameCheck + NetworkFingerprintCheck + FilePresenceCheck + ProcessPresenceCheck
| where GuardrailScore > 0
| eval GuardrailType = if(VolumeSerialCheck = 1, "VolumeSerial",
if(DomainHostnameCheck = 1, "DomainOrHostname",
if(NetworkFingerprintCheck = 1, "NetworkIdentity",
if(FilePresenceCheck = 1, "FilePresence",
if(ProcessPresenceCheck = 1, "ProcessPresence", "Unknown")))))
| eval RiskScore = if(VolumeSerialCheck = 1, 3,
if(ProcessPresenceCheck = 1 AND (cmd matches "*ekrn.exe*" OR cmd matches "*egui.exe*"), 3,
if(DomainHostnameCheck = 1 OR FilePresenceCheck = 1 OR ProcessPresenceCheck = 1, 2, 1)))
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, GuardrailType, GuardrailScore, RiskScore
| sort by RiskScore desc, _messageTime descSumo Logic query for T1480 Execution Guardrails targeting Sysmon Event ID 1 (Process Create) where a LOLBin or script interpreter is the parent process and the child command line contains environmental fingerprinting patterns. Covers all five guardrail categories (volume serial, domain/hostname, network identity, file presence, process presence) with per-event scoring consistent with the Sentinel and Splunk baselines. Adjust _sourceCategory values to match your Sysmon or Winlogbeat source configuration. Requires Sysmon deployed with ProcessCreate logging and command line capture enabled in sysmonconfig.xml.
Data Sources
Required Tables
False Positives & Tuning
- Group Policy-triggered PowerShell scripts that run at logon or machine startup and use Test-Path or 'if exist' to conditionally apply configuration depending on whether a machine is in a specific OU or has specific software installed
- Software deployment orchestrators (PDQ Deploy, ManageEngine Desktop Central) that use msiexec or installutil as parent processes while child scripts verify target OS domain membership or available disk volumes before staging installation packages
- Endpoint hardening and CIS benchmark scripts executed via scheduled tasks under wscript or cscript that enumerate running processes including known AV/EDR binaries to determine hardening profile applicability
Other platforms for T1480
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Volume Serial Number Enumeration via WMIC
Expected signal: Sysmon Event ID 1: Process Create with Image containing wmic.exe, CommandLine containing 'VolumeSerialNumber' and 'Win32_LogicalDisk'. Security Event ID 4688 (if command-line auditing enabled). WMI Activity Event ID 5861 in Microsoft-Windows-WMI-Activity/Operational showing the Win32_LogicalDisk query. Defender MDE: DeviceProcessEvents row with FileName=wmic.exe.
- Test 2Hostname and Domain Membership Check via PowerShell WMI
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_ComputerSystem'. PowerShell ScriptBlock Log Event ID 4104 showing the WMI query in clear text. WMI Activity Event ID 5861 for the Win32_ComputerSystem query with property names Name, Domain, DNSDomain.
- Test 3File Presence Guardrail Check via CMD
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'if exist'. Sysmon Event ID 11: File Create for the %TEMP%\df00tech-guard.cfg file. Security Event ID 4688 showing the full command with conditional logic.
- Test 4Security Product Process Check via Tasklist
Expected signal: Sysmon Event ID 1: Two process creation events — cmd.exe spawning tasklist.exe (CommandLine containing 'IMAGENAME eq ekrn.exe') and findstr.exe. Security Event ID 4688 for tasklist.exe with the /FI IMAGENAME filter argument visible in command-line audit.
- Test 5Linux PID File Mutex Guardrail
Expected signal: Linux auditd SYSCALL records: open()/creat() syscall on /var/run/test_guardrail_df00tech.pid (type=SYSCALL, syscall=open or openat). Syslog entries showing bash process activity. If MDE for Linux is deployed: DeviceFileEvents row with FileName=test_guardrail_df00tech.pid, FolderPath=/var/run/, InitiatingProcessFileName=bash.
References (9)
- https://attack.mitre.org/techniques/T1480/
- https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
- https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html
- https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
- https://www.mandiant.com/resources/blog/apt41-us-state-tax-departments
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1480/T1480.md
- https://github.com/SigmaHQ/sigma/search?q=T1480
- https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page
Unlock Pro Content
Get the full detection package for T1480 including response playbook, investigation guide, and atomic red team tests.