title: Execution Guardrails (T1480)
id: df00tech-t1480
status: experimental
description: "Adversaries may use execution guardrails to constrain execution or actions based on adversary-supplied and environment-specific conditions expected to be present on the target. Guardrails ensure a payload only executes against an intended target, reducing collateral damage from an adversary's campaign. Values used as guardrails include specific volume serial numbers, hostnames, Active Directory domain membership, IP addresses, the presence of specific files or processes, and specific command-line arguments. This technique is distinct from Virtualization/Sandbox Evasion (T1497): sandbox evasion avoids any analysis environment, while guardrails require a specific target environment to be confirmed before execution proceeds. Real-world examples include DEADEYE verifying volume serial number and hostname, Exbyte checking for a configuration file before completing execution, TONESHELL checking for ESET security processes (ekrn.exe, egui.exe) before injecting into waitfor.exe, BPFDoor using a PID mutex file at /var/run/haldrund.pid, RansomHub terminating if the machine appears on an allowlist, and Small Sieve requiring the literal keyword 'Platypus' as a command-line argument."
references:
  - https://attack.mitre.org/techniques/T1480/
  - https://df00tech.com/detections/T1480
author: df00tech
date: 2026/04/13
tags:
  - attack.t1480
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate deployment scripts (SCCM, Group Policy) that check domain membership or hostname before applying configuration — typically parent process is svchost.exe or ccmexec.exe, not a LOLBin"
  - "Monitoring and inventory agents (Tanium, Qualys, SolarWinds) that enumerate network adapter properties or system info — whitelist by exact parent process name"
  - "IT automation tools (PDQ Deploy, Altiris) that verify target environment before running installation packages"
  - Developer environment setup scripts that check for specific environments (dev/staging/prod) using hostname or domain name
  - "Backup software (Veeam, Acronis) that queries volume serial numbers for backup source identification — typically runs as a known service account"
level: medium