| ID | Name |
|---|---|
| T1627.001 | Geofencing |
Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.[1]
Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical System Checks. While use of System Checks may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.
| ID | Name | Description |
|---|---|---|
| S1215 | Binary Validator |
Binary Validator has checked if the device is jailbroken.[2] |
| S9005 | DocSwap |
DocSwap has checked if the victim has accessed the malicious URL from a PC. If so, DocSwap redirected the victim to scan the malicious QR code using a mobile device.[3] |
| ID | Mitigation | Description |
|---|---|---|
| M1006 | Use Recent OS Version |
New OS releases frequently contain additional limitations or controls around device location access. |
| M1011 | User Guidance |
Users should be advised to be extra scrutinous of applications that request location or sensitive phone information permissions, and to deny any permissions requests for applications they do not recognize. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0653 | Detection of Execution Guardrails | AN1737 |
Correlates (1) application access to device- or environment-specific attributes used to validate target conditions, (2) suppression of sensitive behavior until those attributes match an expected value, and (3) immediate transition into protected actions such as sensor use, file access, or network communication only after the condition is satisfied. The defender observes a causal chain where an app repeatedly evaluates device state or environment context and withholds execution until a target-specific match occurs. |
| AN1738 |
Detects conditional execution by correlating (1) application access to constrained environment signals such as location, locale, network context, device state, or user interaction timing, (2) prolonged inactivity or feature suppression despite available permissions, and (3) abrupt initiation of higher-risk behavior only when the expected target context is present. Because direct observation of some runtime decision logic is weaker on iOS, the defender relies more heavily on lifecycle, sensor, and downstream network effects following target-condition alignment. |