T1480.002

Mutual Exclusion

Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource — only one thread or process can hold a given mutex at a time. By creating a uniquely named system mutex at startup, malware checks whether a prior instance is already running: if the mutex already exists, the new instance silently exits, preventing duplicate infections that could increase analyst visibility. Mutex names may be hard-coded strings (Embargo ransomware uses "LoadUpOnGunsBringYourFriends"; SUNSPOT uses a GUID string; Gazer uses "{531511FA-190D-5D85-8A4A-279F2F592CC7}"), machine-derived (LockBit 3.0 hashes the host MachineGUID value), or computed from the binary itself (GrimAgent uses the last 64 bytes of its PE file). In Linux environments, malware such as BPFDoor acquires an exclusive file lock on a runtime file — typically in /var/run/ — achieving the same single-instance effect without Windows API calls. Mutex-based execution guardrails indicate operational maturity: they reduce noise from redundant infections and help adversaries maintain stealth during long-dwell campaigns.

Microsoft Sentinel / Defender

kusto

let KnownMalwareMutexes = dynamic([
    "LoadUpOnGunsBringYourFriends",                   // Embargo ransomware (Cyble 2024)
    "mymutex",                                        // GrimAgent default fallback
    "{12d61a41-4b74-7610-a4d8-3028d2f56395}",         // SUNSPOT (SolarWinds intrusion)
    "{531511FA-190D-5D85-8A4A-279F2F592CC7}",         // Gazer backdoor (Turla)
    "I_am_an_unique_mutex",
    "Global\\TermService_alive",
    "Global\\MS_HIDDENCLK_R"
]);
let SuspiciousProcessPaths = dynamic([
    "\\AppData\\Roaming\\",
    "\\AppData\\Local\\Temp\\",
    "\\Users\\Public\\",
    "\\ProgramData\\",
    "\\Windows\\Temp\\",
    "\\Recycle"
]);
let TrustedSystemProcesses = dynamic([
    "svchost.exe", "services.exe", "lsass.exe", "MsMpEng.exe",
    "SenseIR.exe", "msiexec.exe", "TiWorker.exe", "TrustedInstaller.exe"
]);
// Branch 1: Direct mutex telemetry via MDE enhanced ETW (Defender for Endpoint P2)
let MutexEvents = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType has "Mutex" or ActionType has "Mutant"
| extend MutexName = coalesce(
    tostring(parse_json(AdditionalFields).MutexName),
    tostring(parse_json(AdditionalFields).ObjectName),
    tostring(parse_json(AdditionalFields).Name)
  )
| where isnotempty(MutexName)
| where MutexName has_any (KnownMalwareMutexes)
    or (
        MutexName matches regex @"^\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}$"
        and not (InitiatingProcessFileName in~ (TrustedSystemProcesses))
        and InitiatingProcessFolderPath has_any (SuspiciousProcessPaths)
    )
    or (
        MutexName matches regex @"^Global\\\\[0-9a-fA-F]{32}$"
        and InitiatingProcessFolderPath has_any (SuspiciousProcessPaths)
    )
| project
    Timestamp,
    DeviceName,
    AccountName = InitiatingProcessAccountName,
    ProcessName = InitiatingProcessFileName,
    ProcessPath = InitiatingProcessFolderPath,
    ProcessCommandLine = InitiatingProcessCommandLine,
    MutexName,
    ParentProcess = InitiatingProcessParentFileName,
    DetectionBranch = "MutexAPIEvent";
// Branch 2: Linux-style lock file creation in /var/run/ or /var/lock/ by non-system processes
// Matches BPFDoor (/var/run/initd.lock) and RedXOR patterns
let LockFileEvents = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FolderPath startswith "/var/run/" or FolderPath startswith "/var/lock/"
| where FileName endswith ".lock" or FileName endswith ".pid" or FileName endswith ".run"
| where not (InitiatingProcessFileName in~ (
    "systemd", "init", "chronyd", "sshd", "crond", "cron",
    "rsyslogd", "dbus-daemon", "NetworkManager", "nginx",
    "apache2", "httpd", "mysqld", "postgres", "postfix",
    "auditd", "dockerd", "containerd", "kubelet"
  ))
| where not (
    InitiatingProcessFolderPath startswith "/usr/sbin/"
    or InitiatingProcessFolderPath startswith "/usr/bin/"
    or InitiatingProcessFolderPath startswith "/usr/lib/"
    or InitiatingProcessFolderPath startswith "/lib/systemd/"
    or InitiatingProcessFolderPath startswith "/sbin/"
    or InitiatingProcessFolderPath startswith "/bin/"
  )
| project
    Timestamp,
    DeviceName,
    AccountName = InitiatingProcessAccountName,
    ProcessName = InitiatingProcessFileName,
    ProcessPath = InitiatingProcessFolderPath,
    ProcessCommandLine = InitiatingProcessCommandLine,
    MutexName = strcat(FolderPath, "/", FileName),
    ParentProcess = InitiatingProcessParentFileName,
    DetectionBranch = "LinuxLockFile";
union MutexEvents, LockFileEvents
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: OS API Execution File: File Creation Microsoft Defender for Endpoint (enhanced ETW)

Required Tables

DeviceEvents DeviceFileEvents

False Positives

Legitimate .NET and Java applications using GUID-format named mutexes for single-instance enforcement (e.g., JetBrains IDEs, Adobe products)
Software installers (NSIS, Inno Setup, WiX-based) that create temporary GUID-named mutexes during installation from user temp directories
Package managers and system daemons (apt, yum, pip) creating lock files in /var/run/ during update operations
Database engines (MySQL, PostgreSQL, MongoDB) creating PID files in /var/run/ at daemon startup
Container runtimes (dockerd, containerd) creating runtime lock and PID files in /var/run/docker/ or /var/run/containerd/

Splunk

spl

// Branch 1: Windows Security 4663 — Kernel Object (Mutant type) access
// Requires: auditpol /set /subcategory:"Kernel Object" /success:enable
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4663
    ObjectType="Mutant"
| eval MutexName=coalesce('ObjectName', "unknown")
| eval IsKnownMalware=if(
    match(MutexName, "(?i)(LoadUpOnGunsBringYourFriends|mymutex|TermService_alive|I_am_an_unique_mutex)"),
    1, 0
  )
| eval IsGUIDMutex=if(
    match(MutexName, "^\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}$"),
    1, 0
  )
| eval IsHexMutex=if(
    match(MutexName, "^Global\\\\[0-9A-Fa-f]{32}$"),
    1, 0
  )
| eval IsSystemProcess=if(
    match(ProcessName, "(?i)(svchost|services|lsass|MsMpEng|msiexec|TiWorker|TrustedInstaller)\.exe$"),
    1, 0
  )
| eval IsSuspiciousPath=if(
    match(ProcessName, "(?i)(\\\\appdata\\\\|\\\\users\\\\public\\\\|\\\\programdata\\\\|\\\\windows\\\\temp\\\\|\\\\recycle)"),
    1, 0
  )
| eval SuspicionScore=IsKnownMalware*3 + ((IsGUIDMutex + IsHexMutex) * IsSuspiciousPath * (1 - IsSystemProcess))
| where SuspicionScore > 0
| eval DetectionBranch="WindowsMutantObject"
| table _time, host, SubjectUserName, ProcessName, ProcessId, MutexName,
        IsKnownMalware, IsGUIDMutex, IsHexMutex, SuspicionScore, DetectionBranch
| append [
  search index=linux_audit sourcetype="linux:audit" syscall IN ("flock", "fcntl", "open", "openat")
      (name="/var/run/*.lock" OR name="/var/lock/*.lock" OR name="/var/run/*.pid")
  | eval ProcessPath=coalesce(exe, "unknown")
  | eval ProcessName=replace(ProcessPath, ".*/", "")
  | eval IsSystemProcess=if(
      match(ProcessPath, "^(/usr/sbin/|/usr/bin/|/usr/lib/|/lib/systemd/|/sbin/|/bin/)"),
      1, 0
    )
  | where IsSystemProcess=0
  | eval MutexName=coalesce(name, "(lock_file)")
  | eval SuspicionScore=2
  | eval DetectionBranch="LinuxFileMutex"
  | table _time, host, ProcessName, ProcessPath, uid, MutexName, SuspicionScore, DetectionBranch
]
| sort - _time

high severity medium confidence

Data Sources

Process: OS API Execution (Windows Kernel Object Auditing) File: File Access (Linux auditd) Windows Security Event ID 4663 Linux auditd syscall events

Required Sourcetypes

WinEventLog:Security linux:audit

False Positives

Legitimate .NET/COM server applications using GUID-format named mutexes for inter-process synchronization in application directories
NSIS and WiX-based software installers creating temporary GUID-named mutexes during installation from user temp paths
Package managers (apt-get, yum, dnf) writing lock files to /var/run/apt/ or /var/lock/ during package operations
Monitoring agents (Datadog, Nagios NRPE, Zabbix agent) creating PID files in /var/run/ at startup
High-volume kernel object auditing environments generating excessive 4663 events requiring additional tuning filters

Elastic Security (EQL)

eql

/* BRANCH 1 — Deploy as Elastic Rule 1: Windows Kernel Mutant Object Access via Security Event 4663 */
/* Requires: Windows Security audit policy — auditpol /set /subcategory:"Kernel Object" /success:enable */
any where event.code == "4663" and
  winlog.event_data.ObjectType == "Mutant" and
  (
    winlog.event_data.ObjectName in~ (
      "LoadUpOnGunsBringYourFriends",
      "mymutex",
      "{12d61a41-4b74-7610-a4d8-3028d2f56395}",
      "{531511FA-190D-5D85-8A4A-279F2F592CC7}",
      "I_am_an_unique_mutex",
      "Global\\TermService_alive",
      "Global\\MS_HIDDENCLK_R"
    ) or
    winlog.event_data.ObjectName regex~ "^\\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\\}$" or
    winlog.event_data.ObjectName regex~ "^Global\\\\[0-9A-Fa-f]{32}$"
  ) and
  not winlog.event_data.ProcessName in~ (
    "svchost.exe", "services.exe", "lsass.exe", "MsMpEng.exe",
    "msiexec.exe", "TiWorker.exe", "TrustedInstaller.exe"
  )

/* BRANCH 2 — Deploy as Elastic Rule 2: Linux /var/run/ or /var/lock/ Lock File Creation by Untrusted Process */
/* Covers BPFDoor (/var/run/initd.lock) and RedXOR file-lock single-instance patterns */
file where event.action == "creation" and
  (
    file.path like "/var/run/*.lock" or
    file.path like "/var/run/*.pid" or
    file.path like "/var/run/*.run" or
    file.path like "/var/lock/*.lock"
  ) and
  not process.name in (
    "systemd", "init", "chronyd", "sshd", "crond", "cron",
    "rsyslogd", "dbus-daemon", "NetworkManager", "nginx",
    "apache2", "httpd", "mysqld", "postgres", "postfix",
    "auditd", "dockerd", "containerd", "kubelet"
  ) and
  not (
    process.executable like "/usr/sbin/*" or
    process.executable like "/usr/bin/*" or
    process.executable like "/usr/lib/*" or
    process.executable like "/lib/systemd/*" or
    process.executable like "/sbin/*" or
    process.executable like "/bin/*"
  )

high severity medium confidence

Data Sources

Windows Security Event Log — Event ID 4663 (Object Access: Kernel Object / Mutant type), requires auditpol Kernel Object subcategory enabled Elastic Agent endpoint integration — file creation events (Linux auditd or Elastic Endpoint sensor) Winlogbeat or Elastic Agent Windows integration forwarding Security channel events

Required Tables

logs-windows.security-* logs-system.security-* logs-endpoint.events.file-* auditbeat-* winlogbeat-*

False Positives

Enterprise software (Adobe Creative Cloud, Microsoft Office, JetBrains IDEs) that generates GUID-format named mutexes for single-instance enforcement at startup — build an Elastic exception list scoped to known process hashes or code-signed executable paths
Container runtimes and orchestration agents (containerd, dockerd, kubelet) creating socket or PID files in /var/run/ — excluded by default process name list, but snap/flatpak-packaged versions running outside /usr/bin may trigger Branch 2; add those path prefixes to the exclusion condition
Patch management and software deployment agents (SCCM, Intune Management Extension, Puppet) that create temporary named mutex objects or lock files during installation or policy enforcement windows — correlate alert timing with change management records

IBM QRadar (AQL)

sql

/* T1480.002 — Mutex Execution Guardrail: Windows Mutant Object Access */
/* Requires Windows Security DSM with Event 4663 ingestion and Kernel Object auditing enabled */
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip AS host_ip,
  username AS subject_user,
  UTF8(payload) AS raw_event,
  CASE
    WHEN UTF8(payload) ILIKE '%LoadUpOnGunsBringYourFriends%'
      OR UTF8(payload) ILIKE '%mymutex%'
      OR UTF8(payload) ILIKE '%I_am_an_unique_mutex%'
      OR UTF8(payload) ILIKE '%TermService_alive%'
      OR UTF8(payload) ILIKE '%MS_HIDDENCLK_R%'
      OR UTF8(payload) ILIKE '%12d61a41-4b74-7610-a4d8-3028d2f56395%'
      OR UTF8(payload) ILIKE '%531511FA-190D-5D85-8A4A-279F2F592CC7%'
    THEN 3
    WHEN REGEXP_LIKE(UTF8(payload), '\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}')
    THEN 2
    WHEN REGEXP_LIKE(UTF8(payload), 'Global\\[0-9A-Fa-f]{32}')
    THEN 2
    ELSE 1
  END AS suspicion_score,
  eventid,
  CATEGORYNAME(category) AS category_name,
  QIDNAME(qid) AS event_name
FROM events
WHERE
  eventid = 4663
  AND UTF8(payload) ILIKE '%ObjectType:%Mutant%'
  AND (
    UTF8(payload) ILIKE '%LoadUpOnGunsBringYourFriends%' OR
    UTF8(payload) ILIKE '%mymutex%' OR
    UTF8(payload) ILIKE '%I_am_an_unique_mutex%' OR
    UTF8(payload) ILIKE '%TermService_alive%' OR
    UTF8(payload) ILIKE '%MS_HIDDENCLK_R%' OR
    UTF8(payload) ILIKE '%12d61a41-4b74-7610-a4d8-3028d2f56395%' OR
    UTF8(payload) ILIKE '%531511FA-190D-5D85-8A4A-279F2F592CC7%' OR
    REGEXP_LIKE(UTF8(payload), 'ObjectName:\s*\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}') OR
    REGEXP_LIKE(UTF8(payload), 'ObjectName:\s*Global\\[0-9A-Fa-f]{32}')
  )
  AND NOT (
    UTF8(payload) ILIKE '%Process Name:%svchost.exe%' OR
    UTF8(payload) ILIKE '%Process Name:%lsass.exe%' OR
    UTF8(payload) ILIKE '%Process Name:%services.exe%' OR
    UTF8(payload) ILIKE '%Process Name:%MsMpEng.exe%' OR
    UTF8(payload) ILIKE '%Process Name:%msiexec.exe%' OR
    UTF8(payload) ILIKE '%Process Name:%TiWorker.exe%' OR
    UTF8(payload) ILIKE '%Process Name:%TrustedInstaller.exe%'
  )
LAST 24 HOURS
ORDER BY suspicion_score DESC, event_time DESC

high severity medium confidence

Data Sources

Windows Security Event Log — Event ID 4663 via QRadar Windows Security Event Log DSM WinCollect agent or syslog-based Windows Security event forwarding to QRadar Microsoft Windows Security Event Log DSM (requires auditpol Kernel Object subcategory enabled on endpoints)

Required Tables

events

False Positives

Enterprise license managers (FlexLM, Sentinel HASP) and DRM solutions that use GUID-format named mutexes for activation state tracking — correlate with software inventory and add known-good process names to the exclusion block
Microsoft .NET runtime and CLR components that create GUID-based mutex objects internally during application startup — these typically run from %ProgramFiles% or Windows directories but may still trigger on the GUID pattern if process path normalization in payload differs
Vulnerability scanners and EDR products running internal diagnostics that create short-lived Mutant objects with hex-format names — validate by checking event frequency: malware mutexes are created once at process start, not repeatedly

Sumo Logic CSE

sql

// Branch 1: Windows Mutant Object Access via Security Event 4663
// Run against Windows Security sourcecategory
(_sourceCategory=windows/security OR _sourceCategory=*WinEventLog*Security* OR _sourceCategory=*winlogbeat*)
| where EventCode = "4663" OR EventID = "4663"
| parse regex field=_raw "ObjectType:\s+(?P<ObjectType>[^\r\n]+)" nodrop
| parse regex field=_raw "Object Name:\s+(?P<ObjectName>[^\r\n]+)" nodrop
| parse regex field=_raw "Process Name:\s+(?P<ProcessName>[^\r\n]+)" nodrop
| parse regex field=_raw "Process ID:\s+(?P<ProcessId>[^\r\n]+)" nodrop
| parse regex field=_raw "Account Name:\s+(?P<SubjectUser>[^\r\n]+)" nodrop
| where ObjectType = "Mutant"
| where ObjectName = "LoadUpOnGunsBringYourFriends"
    OR ObjectName = "mymutex"
    OR ObjectName = "{12d61a41-4b74-7610-a4d8-3028d2f56395}"
    OR ObjectName = "{531511FA-190D-5D85-8A4A-279F2F592CC7}"
    OR ObjectName = "I_am_an_unique_mutex"
    OR ObjectName = "Global\\TermService_alive"
    OR ObjectName = "Global\\MS_HIDDENCLK_R"
    OR ObjectName matches /^\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}$/
    OR ObjectName matches /^Global\\[0-9A-Fa-f]{32}$/
| where !(ProcessName matches /(?i)(svchost|services|lsass|MsMpEng|SenseIR|msiexec|TiWorker|TrustedInstaller)\.exe$/)
| eval SuspicionScore = if(ObjectName = "LoadUpOnGunsBringYourFriends" OR ObjectName = "mymutex" OR ObjectName = "I_am_an_unique_mutex" OR ObjectName = "Global\\TermService_alive" OR ObjectName = "Global\\MS_HIDDENCLK_R", 3,
    if(ObjectName matches /^\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}$/ OR ObjectName matches /^Global\\[0-9A-Fa-f]{32}$/, 2, 1))
| eval DetectionBranch = "WindowsMutantAccess"
| fields _messageTime, _sourceHost, SubjectUser, ProcessName, ProcessId, ObjectName, SuspicionScore, DetectionBranch
| sort by SuspicionScore desc, _messageTime desc

// Branch 2: Linux Lock File Creation by Untrusted Process — deploy as separate saved search
// Run against Linux audit sourcecategory
(_sourceCategory=linux/audit OR _sourceCategory=*auditd*)
| where syscall IN ("flock", "fcntl", "open", "openat")
| where name matches "/var/run/*.lock"
    OR name matches "/var/lock/*.lock"
    OR name matches "/var/run/*.pid"
    OR name matches "/var/run/*.run"
| where !(exe matches /^(\/usr\/sbin\/|\/usr\/bin\/|\/usr\/lib\/|\/lib\/systemd\/|\/sbin\/|\/bin\/).*$/)
| where !(exe matches /(systemd|init|chronyd|sshd|crond|cron|rsyslogd|dbus-daemon|NetworkManager|nginx|apache2|mysqld|postgres|postfix|auditd|dockerd|containerd|kubelet)$/)
| eval ProcessName = replace(exe, ".*/", "")
| eval SuspicionScore = 2
| eval DetectionBranch = "LinuxFileLock"
| fields _messageTime, _sourceHost, ProcessName, exe, uid, name, syscall, SuspicionScore, DetectionBranch
| sort by _messageTime desc

high severity medium confidence

Data Sources

Windows Security Event Log via Sumo Logic Windows agent (sourceCategory=windows/security or WinEventLog:Security) Linux auditd via Sumo Logic installed collector with syslog or audit log source (sourceCategory=linux/audit or auditd) Sumo Logic Cloud SIEM with normalized Windows and Linux security event schemas

Required Tables

windows/security linux/audit

False Positives

Third-party enterprise applications (AutoCAD, SolidWorks, Adobe) running from standard Program Files paths that use GUID mutex names for single-instance enforcement — add process name OR process path conditions to the exclusion block after baselining
Configuration management agents (Puppet, Chef, SaltStack) deployed to /opt/ or /usr/local/bin/ that create lock files in /var/run/ during run locks — extend the exe path exclusion regex to cover trusted third-party agent paths
Python or Ruby runtime applications that create /var/run/*.pid files for daemon management when deployed outside standard system paths — tune by correlating with known application deployment inventory and adding specific executable patterns

Google Chronicle / SecOps

yaral

rule t1480_002_known_malware_mutex_names {
  meta:
    author = "df00tech"
    description = "Detects T1480.002: exact match against known malware mutex names used for single-instance execution guardrails. Covers Embargo ransomware, GrimAgent, SUNSPOT (SolarWinds intrusion), and Gazer backdoor (Turla group)."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1480.002"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1480/002/"
    version = "1.0"

  events:
    $e.metadata.event_type = "MUTEX_CREATION"
    (
      $e.target.resource.name = "LoadUpOnGunsBringYourFriends" or
      $e.target.resource.name = "mymutex" or
      $e.target.resource.name = "{12d61a41-4b74-7610-a4d8-3028d2f56395}" or
      $e.target.resource.name = "{531511FA-190D-5D85-8A4A-279F2F592CC7}" or
      $e.target.resource.name = "I_am_an_unique_mutex" or
      $e.target.resource.name = "Global\\TermService_alive" or
      $e.target.resource.name = "Global\\MS_HIDDENCLK_R"
    )

  condition:
    $e
}

rule t1480_002_guid_hex_mutex_suspicious_path {
  meta:
    author = "df00tech"
    description = "Detects T1480.002: GUID-format or hex-padded Global mutex creation by processes running from user-writable or suspicious paths (AppData, Temp, ProgramData, Recycle). Excludes known trusted system processes."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1480.002"
    severity = "MEDIUM"
    priority = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "MUTEX_CREATION"
    (
      re.regex($e.target.resource.name, `^\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}$`) or
      re.regex($e.target.resource.name, `^Global\\[0-9A-Fa-f]{32}$`)
    )
    re.regex($e.principal.process.file.full_path, `(?i)(\\AppData\\Roaming\\|\\AppData\\Local\\Temp\\|\\Users\\Public\\|\\ProgramData\\|\\Windows\\Temp\\|\\Recycle)`)
    not $e.principal.process.file.basename in (
      "svchost.exe", "services.exe", "lsass.exe", "MsMpEng.exe",
      "msiexec.exe", "TiWorker.exe", "TrustedInstaller.exe"
    )

  condition:
    $e
}

rule t1480_002_linux_lockfile_untrusted_process {
  meta:
    author = "df00tech"
    description = "Detects T1480.002 Linux variant: creation of .lock, .pid, or .run files in /var/run/ or /var/lock/ by a process whose executable does not originate from standard system binary directories. Covers BPFDoor (/var/run/initd.lock) and RedXOR single-instance patterns."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1480.002"
    severity = "HIGH"
    priority = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    re.regex($e.target.file.full_path, `^/var/(run|lock)/.+\.(lock|pid|run)$`)
    not re.regex($e.principal.process.file.full_path, `^(/usr/sbin/|/usr/bin/|/usr/lib/|/lib/systemd/|/sbin/|/bin/)`)
    not $e.principal.process.file.basename in (
      "systemd", "init", "chronyd", "sshd", "crond", "cron",
      "rsyslogd", "dbus-daemon", "NetworkManager", "nginx",
      "apache2", "httpd", "mysqld", "postgres", "postfix",
      "auditd", "dockerd", "containerd", "kubelet"
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle UDM MUTEX_CREATION events sourced from Microsoft Defender for Endpoint, CrowdStrike Falcon, or Carbon Black EDR telemetry Google Chronicle UDM FILE_CREATION events from Linux EDR sensors or auditd via Chronicle ingestion pipeline Windows Security Event 4663 forwarded into Chronicle and normalized to MUTEX_CREATION UDM event type

Required Tables

UDM events with metadata.event_type = MUTEX_CREATION UDM events with metadata.event_type = FILE_CREATION

False Positives

Enterprise applications (Adobe, Autodesk, SAP, JetBrains) running installers or updaters from AppData paths that create GUID-format mutexes for single-instance enforcement — build Chronicle reference lists of known-good process SHA256 hashes for Rule 2 suppression
Snap-packaged or Flatpak-wrapped Linux services (e.g., snap-installed Docker) that create PID or lock files in /var/run/ but execute from /snap/bin/ or /var/lib/flatpak/ — these paths are not in the system binary exclusion list in Rule 3; add them via regex extension
Custom in-house Linux daemons deployed to /opt/, /usr/local/, or /srv/ that legitimately write PID files to /var/run/ following init.d/systemd conventions — extend Rule 3 exclusion with organizational trusted paths or build a Chronicle reference list of approved non-system service executables

CrowdStrike LogScale (CQL)

cql

// Branch 1: Known malware mutex names via CrowdStrike SyncMutexCreate kernel telemetry
// Covers Embargo ransomware, GrimAgent, SUNSPOT, Gazer backdoor (Turla)
#event_simpleName = SyncMutexCreate
| MutexName = /(?i)(LoadUpOnGunsBringYourFriends|mymutex|\{12d61a41-4b74-7610-a4d8-3028d2f56395\}|\{531511FA-190D-5D85-8A4A-279F2F592CC7\}|I_am_an_unique_mutex|Global\\TermService_alive|Global\\MS_HIDDENCLK_R)/
| eval(SuspicionScore=3, DetectionBranch="KnownMalwareMutex")
| table([@timestamp, ComputerName, UserName, FileName, FilePath, CommandLine, MutexName, ParentBaseFileName, SuspicionScore, DetectionBranch])

// Branch 2: GUID-format or hex-padded Global mutex from user-writable or suspicious process path
#event_simpleName = SyncMutexCreate
| MutexName = /^\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}$|^Global\\[0-9A-Fa-f]{32}$/
| FilePath = /(?i)(\\AppData\\Roaming\\|\\AppData\\Local\\Temp\\|\\Users\\Public\\|\\ProgramData\\|\\Windows\\Temp\\|\\Recycle)/
| FileName != /(?i)^(svchost|services|lsass|MsMpEng|SenseIR|msiexec|TiWorker|TrustedInstaller)\.exe$/
| eval(SuspicionScore=2, DetectionBranch="PatternMutexSuspiciousPath")
| table([@timestamp, ComputerName, UserName, FileName, FilePath, CommandLine, MutexName, ParentBaseFileName, SuspicionScore, DetectionBranch])

// Branch 3: Linux lock file creation in /var/run/ or /var/lock/ by non-system process
// Covers BPFDoor (/var/run/initd.lock) and RedXOR file-lock single-instance pattern
#event_simpleName = FileCreate
| TargetFileName = /^\/var\/(run|lock)\/.+\.(lock|pid|run)$/
| FilePath != /^(\/usr\/sbin\/|\/usr\/bin\/|\/usr\/lib\/|\/lib\/systemd\/|\/sbin\/|\/bin\/)/
| FileName != /^(systemd|init|chronyd|sshd|crond|cron|rsyslogd|dbus-daemon|NetworkManager|nginx|apache2|httpd|mysqld|postgres|postfix|auditd|dockerd|containerd|kubelet)$/
| eval(SuspicionScore=2, DetectionBranch="LinuxFileLockMutex")
| table([@timestamp, ComputerName, UserName, FileName, FilePath, CommandLine, TargetFileName, SuspicionScore, DetectionBranch])

high severity medium confidence

Data Sources

CrowdStrike Falcon Insight XDR — SyncMutexCreate kernel telemetry events (Windows named mutex creation) CrowdStrike Falcon Endpoint Protection — FileCreate events (Windows and Linux) Falcon sensor with extended kernel visibility and Linux sensor with file creation event telemetry enabled

Required Tables

SyncMutexCreate FileCreate

False Positives

Software license enforcement tools (Flexera FlexNet, Thales Sentinel) that use GUID-based mutexes for concurrent-use license control, frequently running installer components from AppData staging directories — add software deployment process names and signed binary hashes to Branch 2 exclusion list
Development toolchains (Visual Studio, PyCharm, Gradle build daemons) that create GUID-format mutex objects when spawning background compiler or indexer processes from project directories under AppData — verify by checking ParentBaseFileName and CommandLine context; add IDE process names to Branch 2 FileName exclusion
Linux applications packaged via Snap or AppImage that create PID files in /var/run/ but execute from /snap/bin/, /var/lib/flatpak/, or /tmp/appimage-* paths — these will fire Branch 3 since those paths are not in the system binary exclusion; build a Falcon Fusion workflow to auto-suppress based on code-signed AppImage metadata or snap package name

Last updated: 2026-04-19 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1480.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Mutual Exclusion

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections