{
    "type": "bundle",
    "id": "bundle--2c92a035-b376-4916-9a8e-a6be05d0ad78",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2023-03-20T18:44:26.317Z",
            "name": "Execution Guardrails",
            "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-mobile-attack",
                    "phase_name": "defense-evasion"
                }
            ],
            "x_mitre_deprecated": false,
            "x_mitre_detection": "Detecting the use of guardrails may be difficult depending on the implementation. Users can review which applications have location and sensitive phone information permissions in the operating system\u2019s settings menu. Application vetting services can detect unnecessary and potentially permissions or API calls.",
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_platforms": [
                "Android",
                "iOS"
            ],
            "x_mitre_version": "1.1",
            "x_mitre_tactic_type": [
                "Post-Adversary Device Access"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
            "created": "2022-03-30T20:31:16.624Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1627",
                    "external_id": "T1627"
                },
                {
                    "source_name": "SWB Exodus March 2019",
                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.",
                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}