Environmental Keying Linux
Last updated
Was this helpful?
Last updated
Was this helpful?
Adversaries may environmentally key payloads of other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keyring uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keyring is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.
Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses. By generating the decryption keys from target-specific environmental values, environmental keyring can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult. These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques and procedures (TTPs).
Similar to Obfuscated Files of Information, adversaries may use environmental keyring to help protect their TTPs and evade detection. Environmental keyring may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution. By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult. This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.
Like other Execution Guardrails, environmental keyring can be used to prevent exposure capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keyring will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.
See below a simple binary that will print out "Hello World" if the value of the Name parameter is "Ubuntu" then it will execute if not it will just do nothing