Execution Guardrails: Environmental Keying

ID Name
T1480.001 Environmental Keying
T1480.002 Mutual Exclusion

Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.[1]

Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.[2][3][4][5][6] By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.[2][6] These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).

Similar to Obfuscated Files or Information, adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.[2][4][5][6][7] By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.[2] This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.

Like other Execution Guardrails, environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.

ID: T1480.001
Sub-technique of:  T1480
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Defense Bypassed: Anti-virus, Host Forensic Analysis, Signature-based Detection, Static File Analysis
Contributors: Nick Carr, Mandiant
Version: 1.0
Created: 23 June 2020
Last Modified: 04 May 2022

Procedure Examples

ID Name Description
G0096 APT41

APT41 has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. APT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system's volume serial number.[8]

G0020 Equation

Equation has been observed utilizing environmental keying in payload delivery.[2][9]

S0260 InvisiMole

InvisiMole can use Data Protection API to encrypt its components on the victim’s computer, to evade detection, and to make sure the payload can only be decrypted and loaded on one specific compromised computer.[10]

S1100 Ninja

Ninja can store its final payload in the Registry under $HKLM\SOFTWARE\Classes\Interface\ encrypted with a dynamically generated key based on the drive’s serial number.[11]

S1145 Pikabot

Pikabot stops execution if the infected system language matches one of several languages, with various versions referencing: Georgian, Kazakh, Uzbek, Tajik, Russian, Ukrainian, Belarussian, and Slovenian.[12][13]

S0685 PowerPunch

PowerPunch can use the volume serial number from a target host to generate a unique XOR key for the next stage payload.[14]

S0240 ROKRAT

ROKRAT relies on a specific victim hostname to execute and decrypt important strings.[15]

S0141 Winnti for Windows

The Winnti for Windows dropper component can verify the existence of a single command line parameter and either terminate if it is not found or later use it as a decryption key.[16]

Mitigations

ID Mitigation Description
M1055 Do Not Mitigate

Environmental Keying likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised via confusion of keys by the adversary. Mitigation of this technique is also unlikely to be feasible within most contexts because there are no standard attributes from which an adversary may derive keys. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may gather the victim's physical location(s) that can be used during targeting. Detecting the use of environmental keying may be difficult depending on the implementation.

DS0009 Process Process Creation

Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. Detecting the use of environmental keying may be difficult depending on the implementation.

References