Матрица MITRE ATT&CK

Technique on mitre.org

T1480: Execution Guardrails

Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.

Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.

Positive Technologies products that cover the technique

MaxPatrol HCC allows verification of permissions and access control lists. The technique is covered by MaxPatrol HCC's MaxPatrol VM module, which provides compliance control and infrastructure hardening.

Detection

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. Detecting the use of guardrails may be difficult depending on the implementation.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may gather information about the victim's business relationships that can be used during targeting. Detecting the use of guardrails may be difficult depending on the implementation.

ID	Data source and component	Description
DS0009	Process: Process Creation	Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. Detecting the use of guardrails may be difficult depending on the implementation.
DS0017	Command: Command Execution	Monitor executed commands and arguments that may gather information about the victim's business relationships that can be used during targeting. Detecting the use of guardrails may be difficult depending on the implementation.

Mitigation

ID	M1055	Name	Do Not Mitigate	Description	Execution Guardrails likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.

ID	Name	Description
M1055	Do Not Mitigate	Execution Guardrails likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.