The sub-techniques beta is now live! Read the release blog post for more info.

Execution Guardrails

Execution guardrails constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target.

Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.[1] Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.

Environmental keying is one type of guardrail that includes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.[2] Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.[3][4][5][6][7] By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.[3][7] These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).

Similar to Obfuscated Files or Information, adversaries may use guardrails and environmental keying to help protect their TTPs and evade detection. For example, environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.[3][5][6][7][8] By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.[3] In general, guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical Virtualization/Sandbox Evasion where a decision can be made not to further engage because the value conditions specified by the adversary are meant to be target specific and not such that they could occur in any environment.

ID: T1480
Tactic: Defense Evasion
Platform: Linux, macOS, Windows
Permissions Required: User
Data Sources: Process monitoring
Defense Bypassed: Anti-virus, Host forensic analysis, Signature-based detection, Static File Analysis
Contributors: Nick Carr, FireEye
Version: 1.0
Created: 31 January 2019
Last Modified: 19 July 2019

Procedure Examples

Name Description

APT33 has used kill dates in their malware to guardrail execution.[10]


Equation has been observed utilizing environmental keying in payload delivery.[3][9]


Mitigation Description
Do Not Mitigate

Execution Guardrails likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.


Detecting the action of environmental keying may be difficult depending on the implementation. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.