Description
Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)
Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
Adversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)
Platforms
Sub-Techniques (2)
Mitigations (1)
Do Not MitigateM1055
Execution Guardrails likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has used geolocation filtering in malware delivery to redirect traffic not coming from a targeted re... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has configured C2 endpoints to review IP geolocation, request headers, victim environmen... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) stopped execution if identified language settings on victim machines was Russian or one of several ... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used geoblocking to limit downloads of the malicious file to specific geographic location... |
Associated Software (42)
| ID | Name | Type | Context |
|---|---|---|---|
| S1052 | DEADEYE | Malware | [DEADEYE](https://attack.mitre.org/software/S1052) can ensure it executes only on intended systems by identifying the victim's volume serial number, h... |
| S1179 | Exbyte | Malware | [Exbyte](https://attack.mitre.org/software/S1179) checks for the presence of a configuration file before completing execution.(Citation: Microsoft Bla... |
| S1149 | CHIMNEYSWEEP | Malware | [CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can execute a task which leads to execution if it finds a process name containing “creensaver.... |
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has an exception handler that executes when ESET antivirus applications `ekrn.exe` and `egui.exe`... |
| S9034 | Tsundere Botnet | Malware | [Tsundere Botnet](https://attack.mitre.org/software/S9034) has checked the victim machine’s location to avoid infecting in the Commonwealth of Indepen... |
| S1212 | RansomHub | Malware | [RansomHub](https://attack.mitre.org/software/S1212) will terminate without proceeding to encryption if the infected machine is on a list of allowlist... |
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) has utilized logic to avoid executing on Russian based devices.(Citation: Socket GlassWorm Januar... |
| S0504 | Anchor | Malware | [Anchor](https://attack.mitre.org/software/S0504) can terminate itself if specific execution flags are not present.(Citation: Cyberreason Anchor Decem... |
| S0570 | BitPaymer | Malware | [BitPaymer](https://attack.mitre.org/software/S0570) compares file names and paths to a list of excluded names and directory names during encryption.(... |
| S1161 | BPFDoor | Malware | [BPFDoor](https://attack.mitre.org/software/S1161) creates a zero byte PID file at `/var/run/haldrund.pid`. [BPFDoor](https://attack.mitre.org/softwar... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) uses per-victim links for hosting malicious archives, such as ZIP files, in services such as Share... |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) will check for the presence of several security products on victim machines and will avoid ... |
| S0636 | VaporRage | Malware | [VaporRage](https://attack.mitre.org/software/S0636) has the ability to check for the presence of a specific DLL and terminate if it is not found.(Cit... |
| S0634 | EnvyScout | Malware | [EnvyScout](https://attack.mitre.org/software/S0634) can call <code>window.location.pathname</code> to ensure that embedded files are being executed f... |
| S1185 | LightSpy | Malware | On macOS, [LightSpy](https://attack.mitre.org/software/S1185) checks the existence of a process identification number (PID) file, `/Users/Shared/irc.p... |
| S0678 | Torisma | Malware | [Torisma](https://attack.mitre.org/software/S0678) is only delivered to a compromised host if the victim's IP address is on an allow-list.(Citation: M... |
| S1035 | Small Sieve | Malware | [Small Sieve](https://attack.mitre.org/software/S1035) can only execute correctly if the word `Platypus` is passed to it on the command line.(Citation... |
| S1183 | StrelaStealer | Malware | [StrelaStealer](https://attack.mitre.org/software/S1183) variants only execute if the keyboard layout or language matches a set list of variables.(Cit... |
| S9003 | evilginx2 | Tool | [evilginx2](https://attack.mitre.org/software/S9003) can reject requests to phishing URLs if the User-Agent of the visitor doesn't match the allowlist... |
| S9020 | LODEINFO | Malware | [LODEINFO](https://attack.mitre.org/software/S9020) can halt execution if the “en_US” locale is identified on a victim's machine.(Citation: Kaspersky ... |
References
- McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020.
- Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware Distribution. Retrieved June 7, 2024.
- Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says U.S. malware is more restrained than adversaries'. Retrieved January 17, 2019.
Frequently Asked Questions
What is T1480 (Execution Guardrails)?
T1480 is a MITRE ATT&CK technique named 'Execution Guardrails'. It belongs to the Stealth tactic(s). Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ens...
How can T1480 be detected?
Detection of T1480 (Execution Guardrails) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1480?
There are 1 documented mitigations for T1480. Key mitigations include: Do Not Mitigate.
Which threat groups use T1480?
Known threat groups using T1480 include: APT-C-36, Contagious Interview, BlackByte, Gamaredon Group.