Execution Guardrails

Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.[1]

Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical System Checks. While use of System Checks may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.

ID: T1627
Sub-techniques:  T1627.001
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android, iOS
Version: 1.1
Created: 30 March 2022
Last Modified: 20 March 2023

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version

New OS releases frequently contain additional limitations or controls around device location access.

M1011 User Guidance

Users should be advised to be extra scrutinous of applications that request location or sensitive phone information permissions, and to deny any permissions requests for applications they do not recognize.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Application vetting services can detect unnecessary and potentially abused API calls.

Permissions Requests

Application vetting services can detect unnecessary and potentially abused permissions.

DS0042 User Interface System Settings

The user can review which applications have location and sensitive phone information permissions in the operating system’s settings menu.

References