Skip to content

DET0562 Multi-Platform Execution Guardrails Environmental Validation Detection Strategy

Item Value
ID DET0562
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1480 (Execution Guardrails)

Analytics

Windows

AN1551

Windows environmental validation behavioral chain: (1) Rapid system discovery reconnaissance through WMI queries, registry enumeration, and network share discovery, (2) Environment-specific artifact collection (hostname, domain, IP addresses, installed software, hardware identifiers), (3) Cryptographic operations or conditional logic based on collected environmental values, (4) Selective payload execution contingent on environmental validation results, (5) Temporal correlation between discovery activities and subsequent execution or network communication

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
User Account Authentication (DC0002) WinEventLog:Security EventCode=4648
Logon Session Creation (DC0067) WinEventLog:Security EventCode=4624, 4648
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Process Modification (DC0020) WinEventLog:Sysmon EventCode=8
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13, 14
WMI Creation (DC0008) WinEventLog:WMI EventCode=5857, 5858, 5860, 5861
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4103, 4104, 4105, 4106
Mutable Elements
Field Description
DiscoveryTimeWindow Maximum time window for correlating multiple discovery activities indicating reconnaissance phase - adjust based on normal system behavior (default: 300 seconds)
DiscoveryActivityThreshold Minimum number of different discovery techniques within time window to trigger detection - balance between false positives and coverage (default: 4 activities)
CryptographicLibraryWhitelist Approved cryptographic libraries and modules for legitimate organizational use - maintain based on approved software inventory
WMIQueryComplexityThreshold Complexity score for WMI queries indicating reconnaissance vs. legitimate administration - tune based on administrative patterns
EnvironmentalArtifactList Environment-specific values commonly targeted by guardrails (hostnames, domains, network shares) - customize for organizational environment
ExecutionDelayBaseline Statistical baseline for normal delay between discovery and execution activities - establish through historical analysis

Linux

AN1552

Linux environmental validation behavioral chain: (1) Intensive system enumeration through command execution (uname, hostname, ifconfig, lsblk, mount), (2) File system reconnaissance targeting specific paths, network configurations, and installed packages, (3) Process and user enumeration to validate target environment characteristics, (4) Conditional script execution or binary activation based on environmental criteria, (5) Network connectivity validation and external IP address resolution for geolocation verification

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Access (DC0055) auditd:SYSCALL open
Network Connection Creation (DC0082) auditd:SYSCALL openat,connect -k discovery
Command Execution (DC0064) auditd:PROCTITLE command-line execution patterns for system discovery utilities (uname, hostname, ifconfig, netstat, lsof, ps, mount)
User Account Authentication (DC0002) linux:syslog authentication and authorization events during environmental validation phase
Mutable Elements
Field Description
SystemDiscoveryCommandList Linux commands commonly used for system reconnaissance - customize based on environment-specific discovery patterns
ReconnaissanceBurstThreshold Number of discovery commands within time window indicating reconnaissance burst - tune based on legitimate administrative activity
EnvironmentalCheckPatterns File paths and system properties commonly validated by environmental keying - adapt to organizational infrastructure
NetworkDiscoveryBaseline Normal network discovery activity patterns to distinguish from malicious reconnaissance
ConditionalExecutionIndicators Script patterns and conditional logic indicating environment-based execution decisions

macOS

AN1553

macOS environmental validation behavioral chain: (1) System profiling through system_profiler, sysctl, and hardware discovery commands, (2) Network interface and configuration enumeration for geolocation and network environment validation, (3) Application installation and version discovery for software environment fingerprinting, (4) Security feature detection (SIP, Gatekeeper, XProtect status), (5) Conditional payload execution based on macOS-specific environmental criteria and System Integrity Protection bypass validation

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process execution events for system discovery utilities (system_profiler, sysctl, networksetup, ioreg) with parameter analysis
File Access (DC0055) fs:fileevents File system access events with kFSEventStreamEventFlagItemRemoved, kFSEventStreamEventFlagItemRenamed flags for environmental artifact collection (/System/Library, /usr/sbin, plist files)
Mutable Elements
Field Description
MacOSDiscoveryTools macOS-specific system discovery utilities commonly used for environmental validation
SecurityFeatureEnumeration Security features and configurations typically validated by macOS execution guardrails
HardwareFingerprintBaseline Normal hardware discovery patterns to distinguish from environmental validation attempts
SIPBypassIndicators Patterns indicating attempts to validate or bypass System Integrity Protection

ESXi

AN1554

ESXi hypervisor environmental validation behavioral chain: (1) Virtual machine inventory and configuration enumeration through vim-cmd and esxcli commands, (2) Host hardware and network configuration discovery for hypervisor environment validation, (3) Datastore and storage configuration reconnaissance, (4) vCenter connectivity and cluster membership validation, (5) Selective malware deployment based on virtualization infrastructure characteristics and target VM validation

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:shell shell command execution for system discovery (vim-cmd, esxcli, vmware-cmd) targeting VM inventory and host configuration
Process Creation (DC0032) esxi:hostd host daemon events related to VM operations and configuration queries during reconnaissance
Mutable Elements
Field Description
ESXiDiscoveryCommands ESXi commands commonly used for hypervisor and VM reconnaissance
VMInventoryEnumerationThreshold Number of VM inventory queries within time window indicating reconnaissance activity
HypervisorEnvironmentBaseline Normal hypervisor management activity patterns for distinguishing malicious reconnaissance
DatastoreAccessPatterns Unusual datastore access patterns indicating environmental validation or target selection