title: Environmental Keying (T1480.001)
id: df00tech-t1480-001
status: experimental
description: "Adversaries may environmentally key payloads to constrain execution to a specific target by deriving cryptographic decryption keys from target-specific values such as volume serial numbers, machine GUIDs, hostnames, domain membership, or DPAPI-bound credentials. Because the decryption key is never transmitted and is derived solely from the victim environment, the payload cannot be analyzed in sandboxes or reversed without access to the exact target system. Real-world examples include APT41 using DPAPI to bind payloads to specific user accounts and machines, PowerPunch using volume serial numbers to generate XOR keys, InvisiMole using DPAPI to prevent decryption outside the compromised host, ROKRAT requiring a specific victim hostname to decrypt strings, and the Ninja implant storing payloads encrypted with keys derived from drive serial numbers."
references:
  - https://attack.mitre.org/techniques/T1480/001/
  - https://df00tech.com/detections/T1480.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1480.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software licensing and activation systems that read MachineGuid or volume serial numbers to generate per-seat license keys (e.g., Adobe, Microsoft Office, AutoCAD)"
  - "Hardware inventory and asset management tools (SCCM hardware inventory, Lansweeper, Tanium, Qualys) that enumerate WMI hardware properties including serial numbers and UUIDs"
  - Telemetry and diagnostics agents that read machine identifiers to correlate crash reports or usage data with specific devices
  - "Backup software and encryption tools (BitLocker, VeraCrypt) that use machine-specific identifiers for key escrow or binding"
  - IT deployment scripts that use machine GUIDs for unique endpoint identification in device registration workflows
level: medium