执行Guardrails

执行Guardrail会根据目标提供的特定于对手的环境特定条件来限制执行或操作。

Guardrail确保仅对预定目标执行有效载荷，并减少敌方战役造成的附带损害。对手可以提供的有关用作Guardrail的目标系统或环境的值可能包括特定的网络共享名称，附加的物理设备，文件，已加入的Active Directory（AD）域以及本地/外部IP地址。

环境密钥是一种类型的Guardrail，包括用于从给定计算环境中的特定类型的值派生加密/解密密钥的加密技术。值可以从特定于目标的元素派生，并用于为加密的有效负载生成解密密钥。特定于目标的值可以从特定的网络共享，物理设备，软件/软件版本，文件，已加入的AD域，系统时间以及本地/外部IP地址中得出。通过从特定于目标的环境值生成解密密钥，环境密钥可以使沙箱检测，反病毒检测，信息众包和逆向工程变得困难。这些困难可能会减慢事件响应过程的速度，并帮助对手隐藏其战术，技术和程序（TTP）。

类似于混淆文件或信息(T1027)，对手可能会使用防Guardrail和环境密钥来帮助保护其TTP并逃避检测。例如，环境密钥可用于将加密的有效负载传递给目标，该目标将在执行之前使用特定于目标的值来解密有效负载。通过利用特定于目标的值解密有效载荷，对手可以避免将解密密钥与有效载荷一起打包或通过潜在的受监视网络连接发送。根据收集目标特定值的技术，对加密有效负载进行反向工程可能会异常困难。通常，Guardrail可用于防止在不希望受到损害或在其中运行的环境中暴露功能。Guardrail的使用不同于典型的虚拟化/沙盒逃避(T1497)，在后者中可以做出不进一步参与的决定，因为对手指定的价值条件是针对特定目标的，而不是使其可能出现在任何环境中。

Execution Guardrails

Execution guardrails constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target.

Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.

Environmental keying is one type of guardrail that includes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.[Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses. By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult. These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).

Similar to Obfuscated Files or Information(T1027), adversaries may use guardrails and environmental keying to help protect their TTPs and evade detection. For example, environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult. In general, guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical[Virtualization/Sandbox Evasion(T1497) where a decision can be made not to further engage because the value conditions specified by the adversary are meant to be target specific and not such that they could occur in any environment.

标签

ID编号： T1480

策略： 绕过防御

平台： Linux，macOS，Windows

所需权限： user

数据源： 过程监控

绕过防御： 防病毒，主机取证分析，基于签名的检测，静态文件分析

程序示例

名称	描述
APT33(G0064)	APT33(G0064)已使用其恶意软件中的杀死日期来保护执行。
APT33(G0064)	在有效载荷传递中利用环境键已观察到方程式(G0020)

Name	Description
APT33(G0064)	APT33(G0064) has used kill dates in their malware to guardrail execution.
Equation(G0020)	Equation(G0020) has been observed utilizing environmental keying in payload delivery.

缓解措施

减轻	描述
不要减缓(M1055)	执行Guardrails可能不应该通过预防性控制来缓解，因为它可以防止意外目标遭到破坏。如果有针对性，则应着重于防止对手工具在活动链中较早地运行，并在识别出后续恶意行为（如果受到威胁）时将其重点关注

Mitigation	Description
Do Not Mitigate(M1055)	Execution Guardrails(T1480) likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.

检测

根据实现方式，检测环境键控动作可能很困难。监视生成的可疑进程，这些进程收集各种系统信息或执行其他形式的披露（尤其是在很短的时间内），可能有助于检测。

Detecting the action of environmental keying may be difficult depending on the implementation. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery(TA0007), especially in a short period of time, may aid in detection.

- 译者: 林妙倩、戴亦仑 . source:cve.scap.org.cn