Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Execution Guardrails

Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019) Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.

ID: T1480
Sub-techniques:  .001
Tactic(s): Defense Evasion
Platforms: Linux, macOS, Windows
Data Sources: Command: Command Execution, Process: Process Creation
Version: 1.1
Created: 31 Jan 2019
Last Modified: 03 May 2022

Procedure Examples

Name Description
Anchor

Anchor can terminate itself if specific execution flags are not present.(Citation: Cyberreason Anchor December 2019)

BitPaymer

BitPaymer compares file names and paths to a list of excluded names and directory names during encryption.(Citation: Crowdstrike Indrik November 2018)

VaporRage

VaporRage has the ability to check for the presence of a specific DLL and terminate if it is not found.(Citation: MSTIC Nobelium Toolset May 2021)

EnvyScout

EnvyScout can call window.location.pathname to ensure that embedded files are being executed from the C: drive, and will terminate if they are not.(Citation: MSTIC Nobelium Toolset May 2021)

Torisma

Torisma is only delivered to a compromised host if the victim's IP address is on an allow-list.(Citation: McAfee Lazarus Nov 2020)

Small Sieve

Small Sieve can only execute correctly if the word `Platypus` is passed to it on the command line.(Citation: NCSC GCHQ Small Sieve Jan 2022)

Stuxnet

Stuxnet checks for specific operating systems on 32-bit machines, Registry keys, and dates for vulnerabilities, and will exit execution if the values are not met.(Citation: Symantec W.32 Stuxnet Dossier)

SUNSPOT

SUNSPOT only replaces SolarWinds Orion source code if the MD5 checksums of both the original source code file and backdoored replacement source code match hardcoded values.(Citation: CrowdStrike SUNSPOT Implant January 2021)

BoomBox

BoomBox can check its current working directory and for the presence of a specific file and terminate if specific values are not found.(Citation: MSTIC Nobelium Toolset May 2021)

NativeZone

NativeZone can check for the presence of KM.EkeyAlmaz1C.dll and will halt execution unless it is in the same directory as the rest of the malware's components.(Citation: MSTIC Nobelium Toolset May 2021)(Citation: SentinelOne NobleBaron June 2021)

Mitigations

Mitigation Description
Do Not Mitigate

This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.

Environmental Keying Mitigation

This technique likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.

Detection

Detecting the use of guardrails may be difficult depending on the implementation. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.