Skip to content

T1480 Execution Guardrails

Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.3 Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.1

Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.

Adversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user’s software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.2

Item Value
ID T1480
Sub-techniques T1480.001, T1480.002
Tactics TA0005
Platforms ESXi, Linux, Windows, macOS
Version 1.3
Created 31 January 2019
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S1194 Akira _v2 Akira _v2 will fail to execute if the targeted /vmfs/volumes/ path does not exist or is not defined.41
S0504 Anchor Anchor can terminate itself if specific execution flags are not present.9
S1133 Apostle Apostle’s ransomware variant requires that a base64-encoded argument is passed when executed, that is used as the Public Key for subsequent encryption operations. If Apostle is executed without this argument, it automatically runs a self-delete function.27
S0570 BitPaymer BitPaymer compares file names and paths to a list of excluded names and directory names during encryption.10
G1043 BlackByte BlackByte stopped execution if identified language settings on victim machines was Russian or one of several language associated with former Soviet republics.43 BlackByte has used ransomware variants requiring a key passed on the command line for the malware to execute.44
S1180 BlackByte Ransomware BlackByte Ransomware creates a mutex value with a hard-coded name, and terminates if that mutex already exists on the victim system. BlackByte Ransomware checks the system language to see if it matches one of a list of hard-coded values; if a match is found, the malware will terminate.37
S1184 BOLDMOVE BOLDMOVE verifies it is executing from a specific path during execution.40
S0635 BoomBox BoomBox can check its current working directory and for the presence of a specific file and terminate if specific values are not found.15
S1161 BPFDoor BPFDoor creates a zero byte PID file at /var/run/haldrund.pid. BPFDoor uses this file to determine if it is already running on a system to ensure only one instance is executing at a time.11
S1149 CHIMNEYSWEEP CHIMNEYSWEEP can execute a task which leads to execution if it finds a process name containing “creensaver.”6
G1052 Contagious Interview Contagious Interview has configured C2 endpoints to review IP geolocation, request headers, victim environment details and runtime conditions prior to delivering payloads.42
S1111 DarkGate DarkGate uses per-victim links for hosting malicious archives, such as ZIP files, in services such as SharePoint to prevent other entities from retrieving them.12
S1052 DEADEYE DEADEYE can ensure it executes only on intended systems by identifying the victim’s volume serial number, hostname, and/or DNS domain.4
S0634 EnvyScout EnvyScout can call window.location.pathname to ensure that embedded files are being executed from the C: drive, and will terminate if they are not.15
S1179 Exbyte Exbyte checks for the presence of a configuration file before completing execution.5
G0047 Gamaredon Group Gamaredon Group has used geoblocking to limit downloads of the malicious file to specific geographic locations.4546
S1185 LightSpy On macOS, LightSpy checks the existence of a process identification number (PID) file, /Users/Shared/irc.pid, to verify if LightSpy is currently running.16
S1199 LockBit 2.0 LockBit 2.0 will not execute on hosts where the system language is set to a language spoken in the Commonwealth of Independent States region.3130
S1202 LockBit 3.0 LockBit 3.0 can make execution dependent on specific parameters including a unique passphrase and the system language of the targeted host not being found on a set exclusion list. 212322
S1143 LunarLoader LunarLoader can use the DNS domain name of a compromised host to create a decryption key to ensure a malicious payload can only execute against the intended targets.28
S0637 NativeZone NativeZone can check for the presence of KM.EkeyAlmaz1C.dll and will halt execution unless it is in the same directory as the rest of the malware’s components.1534
S1242 Qilin Qilin can require a specific password to be passed by command-line argument during execution which must match a pre-defined value in the configuration in order for it to continue execution.24
S1212 RansomHub RansomHub will terminate without proceeding to encryption if the infected machine is on a list of allowlisted machines specified in its configuration.8
S1130 Raspberry Robin Raspberry Robin will check for the presence of several security products on victim machines and will avoid UAC bypass mechanisms if they are identified.13 Raspberry Robin can use specific cookie values in HTTP requests to command and control infrastructure to validate that requests for second stage payloads originate from the initial downloader script.14
C0047 RedDelta Modified PlugX Infection Chain Operations Mustang Panda included the use of Cloudflare geofencing mechanisms to limit payload download activity during RedDelta Modified PlugX Infection Chain Operations.47
S1240 RedLine Stealer RedLine Stealer has built in settings to not operate based on geolocation or country of the victim host.3233
S1150 ROADSWEEP ROADSWEEP requires four command line arguments to execute correctly, otherwise it will produce a message box and halt execution.63536
S1210 Sagerunex Sagerunex uses a “servicemain” function to verify its environment to ensure it can only be executed as a service, as well as the existence of a configuration file in a specified directory.39
S1178 ShrinkLocker ShrinkLocker will exit its “main” function if the victim domain name does not match provided criteria.38
S1035 Small Sieve Small Sieve can only execute correctly if the word Platypus is passed to it on the command line.18
S1200 StealBit StealBit will execute an empty infinite loop if it detects it is being run in the context of a debugger.29
S1183 StrelaStealer StrelaStealer variants only execute if the keyboard layout or language matches a set list of variables.1920
S0603 Stuxnet Stuxnet checks for specific operating systems on 32-bit machines, Registry keys, and dates for vulnerabilities, and will exit execution if the values are not met.25
S0562 SUNSPOT SUNSPOT only replaces SolarWinds Orion source code if the MD5 checksums of both the original source code file and backdoored replacement source code match hardcoded values.26
S1239 TONESHELL TONESHELL has an exception handler that executes when ESET antivirus applications ekrn.exe and egui.exe are not found and directly injects its code into waitfor.exe using Native Windows API including WriteProcessMemory and CreateRemoteThreadEx.7
S0678 Torisma Torisma is only delivered to a compromised host if the victim’s IP address is on an allow-list.17
S0636 VaporRage VaporRage has the ability to check for the presence of a specific DLL and terminate if it is not found.15

Mitigations

ID Mitigation Description
M1055 Do Not Mitigate Execution Guardrails likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.

References

  1. McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020. 

  2. Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware Distribution. Retrieved June 7, 2024. 

  3. Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says U.S. malware is more restrained than adversaries’. Retrieved January 17, 2019. 

  4. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  5. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024. 

  6. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. 

  7. Nathaniel Morales, Nick Dai. (2025, February 18). Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection. Retrieved September 10, 2025. 

  8. Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025. 

  9. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. 

  10. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. 

  11. The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023. 

  12. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024. 

  13. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024. 

  14. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024. 

  15. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  16. Stuart Ashenbrenner, Alden Schmidt. (2024, April 25). LightSpy Malware Variant Targeting macOS. Retrieved January 3, 2025. 

  17. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. 

  18. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022. 

  19. Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024. 

  20. Golo Mühr, Joe Fasulo & Charlotte Hammond, IBM X-Force. (2024, November 12). Strela Stealer: Today’s invoice is tomorrow’s phish. Retrieved December 31, 2024. 

  21. CISA et al. (2023, June 14). UNDERSTANDING RANSOMWARE THREAT ACTORS: LOCKBIT. Retrieved February 5, 2025. 

  22. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025. 

  23. Walter, J. (2022, July 21). LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques. Retrieved February 5, 2025. 

  24. Hacioglu, S. (2025, March 10). Qilin Ransomware: Exposing the TTPs Behind One of the Most Active Ransomware Campaigns of 2024. Retrieved September 26, 2025. 

  25. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024. 

  26. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. 

  27. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024. 

  28. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024. 

  29. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025. 

  30. Elsad, A. et al. (2022, June 9). LockBit 2.0: How This RaaS Operates and How to Protect Against It. Retrieved January 24, 2025. 

  31. FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025. 

  32. Alexandre Cote Cyr. (2024, November 8). Life on a crooked RedLine: Analyzing the infamous infostealer’s backend. Retrieved September 17, 2025. 

  33. Proofpoint Threat Insight Team, Jeremy H, Axel F. (2020, March 16). New Redline Password Stealer Malware. Retrieved September 17, 2025. 

  34. Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021. 

  35. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024. 

  36. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024. 

  37. Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024. 

  38. Splunk Threat Research Team , Teoderick Contreras. (2024, September 5). ShrinkLocker Malware: Abusing BitLocker to Lock Your Data. Retrieved December 7, 2024. 

  39. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025. 

  40. Scott Henderson, Cristiana Kittner, Sarah Hawley & Mark Lechtik, Google Cloud. (2023, January 19). Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475). Retrieved December 31, 2024. 

  41. Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024. 

  42. Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025. 

  43. Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024. 

  44. James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024. 

  45. Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024. 

  46. Venere, G. (2025, March 28). Gamaredon campaign abuses LNK files to distribute Remcos backdoor. Retrieved July 23, 2025. 

  47. Insikt Group. (2025, January 9). Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain. Retrieved January 14, 2025.