T1480.002 Google Chronicle · YARA-L

Detect Mutual Exclusion in Google Chronicle

Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource — only one thread or process can hold a given mutex at a time. By creating a uniquely named system mutex at startup, malware checks whether a prior instance is already running: if the mutex already exists, the new instance silently exits, preventing duplicate infections that could increase analyst visibility. Mutex names may be hard-coded strings (Embargo ransomware uses "LoadUpOnGunsBringYourFriends"; SUNSPOT uses a GUID string; Gazer uses "{531511FA-190D-5D85-8A4A-279F2F592CC7}"), machine-derived (LockBit 3.0 hashes the host MachineGUID value), or computed from the binary itself (GrimAgent uses the last 64 bytes of its PE file). In Linux environments, malware such as BPFDoor acquires an exclusive file lock on a runtime file — typically in /var/run/ — achieving the same single-instance effect without Windows API calls. Mutex-based execution guardrails indicate operational maturity: they reduce noise from redundant infections and help adversaries maintain stealth during long-dwell campaigns.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1480 Execution Guardrails
Sub-technique
T1480.002 Mutual Exclusion
Canonical reference
https://attack.mitre.org/techniques/T1480/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1480_002_known_malware_mutex_names {
  meta:
    author = "df00tech"
    description = "Detects T1480.002: exact match against known malware mutex names used for single-instance execution guardrails. Covers Embargo ransomware, GrimAgent, SUNSPOT (SolarWinds intrusion), and Gazer backdoor (Turla group)."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1480.002"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1480/002/"
    version = "1.0"

  events:
    $e.metadata.event_type = "MUTEX_CREATION"
    (
      $e.target.resource.name = "LoadUpOnGunsBringYourFriends" or
      $e.target.resource.name = "mymutex" or
      $e.target.resource.name = "{12d61a41-4b74-7610-a4d8-3028d2f56395}" or
      $e.target.resource.name = "{531511FA-190D-5D85-8A4A-279F2F592CC7}" or
      $e.target.resource.name = "I_am_an_unique_mutex" or
      $e.target.resource.name = "Global\\TermService_alive" or
      $e.target.resource.name = "Global\\MS_HIDDENCLK_R"
    )

  condition:
    $e
}

rule t1480_002_guid_hex_mutex_suspicious_path {
  meta:
    author = "df00tech"
    description = "Detects T1480.002: GUID-format or hex-padded Global mutex creation by processes running from user-writable or suspicious paths (AppData, Temp, ProgramData, Recycle). Excludes known trusted system processes."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1480.002"
    severity = "MEDIUM"
    priority = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "MUTEX_CREATION"
    (
      re.regex($e.target.resource.name, `^\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}$`) or
      re.regex($e.target.resource.name, `^Global\\[0-9A-Fa-f]{32}$`)
    )
    re.regex($e.principal.process.file.full_path, `(?i)(\\AppData\\Roaming\\|\\AppData\\Local\\Temp\\|\\Users\\Public\\|\\ProgramData\\|\\Windows\\Temp\\|\\Recycle)`)
    not $e.principal.process.file.basename in (
      "svchost.exe", "services.exe", "lsass.exe", "MsMpEng.exe",
      "msiexec.exe", "TiWorker.exe", "TrustedInstaller.exe"
    )

  condition:
    $e
}

rule t1480_002_linux_lockfile_untrusted_process {
  meta:
    author = "df00tech"
    description = "Detects T1480.002 Linux variant: creation of .lock, .pid, or .run files in /var/run/ or /var/lock/ by a process whose executable does not originate from standard system binary directories. Covers BPFDoor (/var/run/initd.lock) and RedXOR single-instance patterns."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1480.002"
    severity = "HIGH"
    priority = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    re.regex($e.target.file.full_path, `^/var/(run|lock)/.+\.(lock|pid|run)$`)
    not re.regex($e.principal.process.file.full_path, `^(/usr/sbin/|/usr/bin/|/usr/lib/|/lib/systemd/|/sbin/|/bin/)`)
    not $e.principal.process.file.basename in (
      "systemd", "init", "chronyd", "sshd", "crond", "cron",
      "rsyslogd", "dbus-daemon", "NetworkManager", "nginx",
      "apache2", "httpd", "mysqld", "postgres", "postfix",
      "auditd", "dockerd", "containerd", "kubelet"
    )

  condition:
    $e
}
high severity medium confidence

Three Chronicle YARA-L 2.0 detection rules for T1480.002, each targeting a distinct signal tier. Rule 1 is a high-confidence exact-match against known malware mutex strings (Embargo ransomware, GrimAgent, SUNSPOT GUID, Gazer GUID) on MUTEX_CREATION UDM events — alert immediately. Rule 2 matches structural mutex patterns (GUID-format or hex-padded Global\) created by processes spawned from user-writable paths, excluding trusted system processes — medium confidence, requires analyst review. Rule 3 detects the Linux equivalent: FILE_CREATION events for .lock/.pid/.run files in /var/run/ or /var/lock/ from processes outside standard system binary directories, covering BPFDoor and RedXOR single-instance lock patterns. Deploy all three rules for full T1480.002 coverage; MUTEX_CREATION events require EDR telemetry ingestion into Chronicle (Defender ATP, CrowdStrike Falcon, or Carbon Black).

Data Sources

Google Chronicle UDM MUTEX_CREATION events sourced from Microsoft Defender for Endpoint, CrowdStrike Falcon, or Carbon Black EDR telemetryGoogle Chronicle UDM FILE_CREATION events from Linux EDR sensors or auditd via Chronicle ingestion pipelineWindows Security Event 4663 forwarded into Chronicle and normalized to MUTEX_CREATION UDM event type

Required Tables

UDM events with metadata.event_type = MUTEX_CREATIONUDM events with metadata.event_type = FILE_CREATION

False Positives & Tuning

  • Enterprise applications (Adobe, Autodesk, SAP, JetBrains) running installers or updaters from AppData paths that create GUID-format mutexes for single-instance enforcement — build Chronicle reference lists of known-good process SHA256 hashes for Rule 2 suppression
  • Snap-packaged or Flatpak-wrapped Linux services (e.g., snap-installed Docker) that create PID or lock files in /var/run/ but execute from /snap/bin/ or /var/lib/flatpak/ — these paths are not in the system binary exclusion list in Rule 3; add them via regex extension
  • Custom in-house Linux daemons deployed to /opt/, /usr/local/, or /srv/ that legitimately write PID files to /var/run/ following init.d/systemd conventions — extend Rule 3 exclusion with organizational trusted paths or build a Chronicle reference list of approved non-system service executables
Download portable Sigma rule (.yml)

Other platforms for T1480.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows Named Mutex Creation with Known Malware Name (Embargo)

    Expected signal: DeviceEvents with ActionType containing 'Mutex' (if MDE ETW enabled): AdditionalFields will include MutexName='Global\LoadUpOnGunsBringYourFriends', InitiatingProcessFileName='powershell.exe'. Windows Security 4663 with ObjectType='Mutant', ObjectName containing 'LoadUpOnGunsBringYourFriends' (if Kernel Object auditing enabled). Sysmon Event ID 1: Process Create for powershell.exe with the mutex name visible in CommandLine.

  2. Test 2Windows GUID-Format Mutex from Temp Path (SUNSPOT-Style)

    Expected signal: DeviceEvents (MDE): ActionType containing 'Mutex', MutexName='{12d61a41-4b74-7610-a4d8-3028d2f56395}'. Windows Security 4663: ObjectType='Mutant', ObjectName='{12d61a41-4b74-7610-a4d8-3028d2f56395}'. Sysmon EID 1: powershell.exe process create with GUID in CommandLine.

  3. Test 3Windows Machine-Derived Mutex Name (LockBit 3.0 Pattern)

    Expected signal: Sysmon EID 1: PowerShell process create with registry access to HKLM\SOFTWARE\Microsoft\Cryptography visible in ScriptBlock log (EID 4104). DeviceEvents: Mutex creation with Global\<32-char hex string> pattern. DeviceRegistryEvents: HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid read access by powershell.exe.

  4. Test 4Linux File-Based Mutex via flock() — BPFDoor Pattern

    Expected signal: Linux auditd (if syscall auditing enabled): flock() syscall by python3 on /tmp/df00tech-initd.lock with LOCK_EX|LOCK_NB flags. File creation event for /tmp/df00tech-initd.lock by python3 process. /proc/locks shows FLOCK WRITE lock held by python3 PID. MDE DeviceFileEvents: FileCreated action for *.lock file by python3 from non-standard path.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1480.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1480Execution Guardrails

Related Sub-techniques

T1480.001Environmental Keying

Related Techniques

T1480Execution GuardrailsT1480.001Environmental KeyingT1036MasqueradingT1055Process InjectionT1543.003Windows ServiceT1053.005Scheduled TaskT1027Obfuscated Files or InformationT1082System Information DiscoveryT1486Data Encrypted for ImpactT1071Application Layer Protocol

Same Tactic: Defense Evasion

Popular Detections