Description
Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)
Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).
Similar to Obfuscated Files or Information, adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
Like other Execution Guardrails, environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
Platforms
Mitigations (1)
Do Not MitigateM1055
Environmental Keying likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised via confusion of keys by the adversary. Mitigation of this technique is also unlikely to be feasible within most contexts because there are no standard attributes from which an adversary may derive keys. If
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0020 | Equation | [Equation](https://attack.mitre.org/groups/G0020) has been observed utilizing environmental keying in payload delivery.(Citation: Kaspersky Gauss Whit... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific use... |
Associated Software (8)
| ID | Name | Type | Context |
|---|---|---|---|
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has generated unique GUIDs to identify victim devices.(Citation: Trend Micro Mustang Panda Earth ... |
| S0240 | ROKRAT | Malware | [ROKRAT](https://attack.mitre.org/software/S0240) relies on a specific victim hostname to execute and decrypt important strings.(Citation: Volexity In... |
| S1228 | PUBLOAD | Malware | [PUBLOAD](https://attack.mitre.org/software/S1228) has utilized environmental keying in the payload to include the victim volume serial number, comput... |
| S1100 | Ninja | Malware | [Ninja](https://attack.mitre.org/software/S1100) can store its final payload in the Registry under `$HKLM\SOFTWARE\Classes\Interface\` encrypted with ... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) can use Data Protection API to encrypt its components on the victim’s computer, to evade detecti... |
| S1145 | Pikabot | Malware | [Pikabot](https://attack.mitre.org/software/S1145) stops execution if the infected system language matches one of several languages, with various vers... |
| S0685 | PowerPunch | Malware | [PowerPunch](https://attack.mitre.org/software/S0685) can use the volume serial number from a target host to generate a unique XOR key for the next st... |
| S0141 | Winnti for Windows | Malware | The [Winnti for Windows](https://attack.mitre.org/software/S0141) dropper component can verify the existence of a single command line parameter and ei... |
References
- Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising on Windows, Android Devices. Retrieved January 16, 2019.
- Kaspersky Lab. (2012, August). Gauss: Abnormal Distribution. Retrieved January 17, 2019.
- Riordan, J., Schneier, B. (1998, June 18). Environmental Key Generation towards Clueless Agents. Retrieved January 18, 2019.
- Song, C., et al. (2012, August 7). Impeding Automated Malware Analysis with Environment-sensitive Malware. Retrieved January 18, 2019.
- Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved January 17, 2019.
- Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved November 17, 2024.
Frequently Asked Questions
What is T1480.001 (Environmental Keying)?
T1480.001 is a MITRE ATT&CK technique named 'Environmental Keying'. It belongs to the Stealth tactic(s). Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constra...
How can T1480.001 be detected?
Detection of T1480.001 (Environmental Keying) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1480.001?
There are 1 documented mitigations for T1480.001. Key mitigations include: Do Not Mitigate.
Which threat groups use T1480.001?
Known threat groups using T1480.001 include: Equation, APT41.