1. Home
  2. Techniques
  3. Enterprise
  4. 执行保护

执行保护

ID Name
T1480.001 动态环境指纹验证
T1480.002 运行时条件注入
T1480.003 多层级联环境鉴权
T1480.004 用户代理过滤与自适应载荷分发

执行保护是攻击者为确保恶意代码仅在特定目标环境中激活而采取的条件约束机制,通过验证预设环境特征(如域控关系、硬件配置、网络拓扑等)来规避非目标系统的意外执行。传统防御手段主要依赖检测异常的环境探测行为或识别固定的条件判断逻辑,通过监控进程创建、注册表查询等系统调用模式来发现可疑活动。缓解措施包括加强系统环境监控、实施严格的最小权限原则,以及部署行为分析系统检测非常规的条件验证操作。

为突破传统执行保护技术存在的逻辑固化、特征显著等缺陷,攻击者发展出多维动态验证、环境痕迹消除等新型匿迹手段,将静态条件判断演进为动态自适应鉴权体系,通过模块化、去中心化的验证架构实现攻击链的精准控制与隐蔽执行。

当前执行保护匿迹技术的核心演进方向体现为环境验证机制的时空动态化与验证逻辑的隐蔽化重构。攻击者通过分层递进式验证架构,将单一环境检测拆解为多阶段、多维度特征校验,利用硬件层至应用层的立体鉴权体系提高目标识别精度;采用运行时动态加载技术,实现验证逻辑与恶意载荷的物理分离,规避静态特征提取;引入自适应过滤机制,结合客户端指纹特征实施精准载荷分发,最大限度降低无效攻击尝试。这些技术的共性在于突破传统基于固定规则的防护模式,通过验证逻辑的动态重构、验证过程的痕迹消除以及验证机制的上下文感知,使恶意代码的执行条件判断完全融入系统正常行为流,显著提高了传统防御体系检测环境约束型攻击的难度。

匿迹技术的升级迫使防御方需要构建动态环境监控体系,开发基于行为链分析的检测模型,并加强对合法软件运行时环境的保护。同时需建立跨维度的威胁情报关联机制,通过整合硬件层、系统层和应用层的异常特征,识别隐蔽的执行保护逻辑。

ID: T1480
Sub-techniques:  T1480.001, T1480.002, T1480.003, T1480.004
Tactic: 防御规避
Platforms: Linux, Windows, macOS
Defense Bypassed: Anti-virus, Host Forensic Analysis, Signature-based Detection, Static File Analysis
Contributors: Nick Carr, Mandiant
Version: 1.2
Created: 31 January 2019
Last Modified: 07 June 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过将环境验证逻辑嵌入合法软件行为流,实现恶意代码执行保护的隐蔽化。例如利用系统API正常调用模式实施特征校验,或伪装成软件许可证验证流程进行环境检测。验证请求采用标准协议格式(如HTTPS),载荷分发过程模仿软件更新机制,使得恶意行为难以与合法操作区分。

行为透明

通过多层级联验证机制和动态条件加载技术,攻击者将传统的显性环境检测行为转化为隐式特征收集。验证操作被拆解为多个低特权级系统调用,分散在正常业务流程中执行,安全监控系统难以识别其攻击意图。环境特征采集采用被动嗅探与主动探测相结合的方式,最大限度降低行为可见性。

数据遮蔽

采用椭圆曲线加密、模糊哈希等技术处理环境特征数据,验证请求中的关键参数经过多层混淆处理。C2通信使用定制化TLS协议套件,关键字段采用内存加密存储,确保验证逻辑和条件参数在传输、存储、处理全流程的不可解析性,有效对抗流量分析与内存取证。

Procedure Examples

ID Name Description
S0504 Anchor

Anchor can terminate itself if specific execution flags are not present.[1]
S1133 Apostle

Apostle's ransomware variant requires that a base64-encoded argument is passed when executed, that is used as the Public Key for subsequent encryption operations. If Apostle is executed without this argument, it automatically runs a self-delete function.[2]
S0570 BitPaymer

BitPaymer compares file names and paths to a list of excluded names and directory names during encryption.[3]
S0635 BoomBox

BoomBox can check its current working directory and for the presence of a specific file and terminate if specific values are not found.[4]
S1161 BPFDoor

BPFDoor creates a zero byte PID file at /var/run/haldrund.pid. BPFDoor uses this file to determine if it is already running on a system to ensure only one instance is executing at a time.[5]

S1149 CHIMNEYSWEEP

CHIMNEYSWEEP can execute a task which leads to execution if it finds a process name containing "creensaver."[6]
S1111 DarkGate

DarkGate uses per-victim links for hosting malicious archives, such as ZIP files, in services such as SharePoint to prevent other entities from retrieving them.[7]
S1052 DEADEYE

DEADEYE can ensure it executes only on intended systems by identifying the victim's volume serial number, hostname, and/or DNS domain.[8]
S0634 EnvyScout

EnvyScout can call window.location.pathname to ensure that embedded files are being executed from the C: drive, and will terminate if they are not.[4]
G0047 Gamaredon Group

Gamaredon Group has used geoblocking to limit downloads of the malicious file to specific geographic locations.[9]

S1143 LunarLoader

LunarLoader can use the DNS domain name of a compromised host to create a decryption key to ensure a malicious payload can only execute against the intended targets.[10]
S0637 NativeZone

NativeZone can check for the presence of KM.EkeyAlmaz1C.dll and will halt execution unless it is in the same directory as the rest of the malware's components.[4][11]
S1130 Raspberry Robin

Raspberry Robin will check for the presence of several security products on victim machines and will avoid UAC bypass mechanisms if they are identified.[12] Raspberry Robin can use specific cookie values in HTTP requests to command and control infrastructure to validate that requests for second stage payloads originate from the initial downloader script.[13]
S1150 ROADSWEEP

ROADSWEEP requires four command line arguments to execute correctly, otherwise it will produce a message box and halt execution.[6][14][15]
S1035 Small Sieve

Small Sieve can only execute correctly if the word Platypus is passed to it on the command line.[16]
S0603 Stuxnet

Stuxnet checks for specific operating systems on 32-bit machines, Registry keys, and dates for vulnerabilities, and will exit execution if the values are not met.[17]
S0562 SUNSPOT

SUNSPOT only replaces SolarWinds Orion source code if the MD5 checksums of both the original source code file and backdoored replacement source code match hardcoded values.[18]

S0678 Torisma

Torisma is only delivered to a compromised host if the victim's IP address is on an allow-list.[19]
S0636 VaporRage

VaporRage has the ability to check for the presence of a specific DLL and terminate if it is not found.[4]

Mitigations

ID Mitigation Description
M1055 Do Not Mitigate

Execution Guardrails likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may gather information about the victim's business relationships that can be used during targeting. Detecting the use of guardrails may be difficult depending on the implementation.
DS0009 Process Process Creation

Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. Detecting the use of guardrails may be difficult depending on the implementation.

References

  1. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  2. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  3. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  4. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  5. The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.
  6. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  7. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
  8. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  9. Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
  10. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  1. Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.
  2. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
  3. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
  4. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  5. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  6. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
  7. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  8. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  9. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.