Detect Mutual Exclusion in IBM QRadar
Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource — only one thread or process can hold a given mutex at a time. By creating a uniquely named system mutex at startup, malware checks whether a prior instance is already running: if the mutex already exists, the new instance silently exits, preventing duplicate infections that could increase analyst visibility. Mutex names may be hard-coded strings (Embargo ransomware uses "LoadUpOnGunsBringYourFriends"; SUNSPOT uses a GUID string; Gazer uses "{531511FA-190D-5D85-8A4A-279F2F592CC7}"), machine-derived (LockBit 3.0 hashes the host MachineGUID value), or computed from the binary itself (GrimAgent uses the last 64 bytes of its PE file). In Linux environments, malware such as BPFDoor acquires an exclusive file lock on a runtime file — typically in /var/run/ — achieving the same single-instance effect without Windows API calls. Mutex-based execution guardrails indicate operational maturity: they reduce noise from redundant infections and help adversaries maintain stealth during long-dwell campaigns.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1480 Execution Guardrails
- Sub-technique
- T1480.002 Mutual Exclusion
- Canonical reference
- https://attack.mitre.org/techniques/T1480/002/
QRadar Detection Query
/* T1480.002 — Mutex Execution Guardrail: Windows Mutant Object Access */
/* Requires Windows Security DSM with Event 4663 ingestion and Kernel Object auditing enabled */
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
sourceip AS host_ip,
username AS subject_user,
UTF8(payload) AS raw_event,
CASE
WHEN UTF8(payload) ILIKE '%LoadUpOnGunsBringYourFriends%'
OR UTF8(payload) ILIKE '%mymutex%'
OR UTF8(payload) ILIKE '%I_am_an_unique_mutex%'
OR UTF8(payload) ILIKE '%TermService_alive%'
OR UTF8(payload) ILIKE '%MS_HIDDENCLK_R%'
OR UTF8(payload) ILIKE '%12d61a41-4b74-7610-a4d8-3028d2f56395%'
OR UTF8(payload) ILIKE '%531511FA-190D-5D85-8A4A-279F2F592CC7%'
THEN 3
WHEN REGEXP_LIKE(UTF8(payload), '\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}')
THEN 2
WHEN REGEXP_LIKE(UTF8(payload), 'Global\\[0-9A-Fa-f]{32}')
THEN 2
ELSE 1
END AS suspicion_score,
eventid,
CATEGORYNAME(category) AS category_name,
QIDNAME(qid) AS event_name
FROM events
WHERE
eventid = 4663
AND UTF8(payload) ILIKE '%ObjectType:%Mutant%'
AND (
UTF8(payload) ILIKE '%LoadUpOnGunsBringYourFriends%' OR
UTF8(payload) ILIKE '%mymutex%' OR
UTF8(payload) ILIKE '%I_am_an_unique_mutex%' OR
UTF8(payload) ILIKE '%TermService_alive%' OR
UTF8(payload) ILIKE '%MS_HIDDENCLK_R%' OR
UTF8(payload) ILIKE '%12d61a41-4b74-7610-a4d8-3028d2f56395%' OR
UTF8(payload) ILIKE '%531511FA-190D-5D85-8A4A-279F2F592CC7%' OR
REGEXP_LIKE(UTF8(payload), 'ObjectName:\s*\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}') OR
REGEXP_LIKE(UTF8(payload), 'ObjectName:\s*Global\\[0-9A-Fa-f]{32}')
)
AND NOT (
UTF8(payload) ILIKE '%Process Name:%svchost.exe%' OR
UTF8(payload) ILIKE '%Process Name:%lsass.exe%' OR
UTF8(payload) ILIKE '%Process Name:%services.exe%' OR
UTF8(payload) ILIKE '%Process Name:%MsMpEng.exe%' OR
UTF8(payload) ILIKE '%Process Name:%msiexec.exe%' OR
UTF8(payload) ILIKE '%Process Name:%TiWorker.exe%' OR
UTF8(payload) ILIKE '%Process Name:%TrustedInstaller.exe%'
)
LAST 24 HOURS
ORDER BY suspicion_score DESC, event_time DESCDetects T1480.002 mutex-based execution guardrails via Windows Security Event 4663 (Kernel Object access, ObjectType=Mutant). Uses UTF8 payload pattern matching — the most reliable approach for Windows Security event fields not normalized into QRadar's schema — to identify known malware mutex strings (Embargo, GrimAgent, SUNSPOT, Gazer), GUID-format mutexes, and hex-padded Global\ mutex names from untrusted initiating processes. Assigns a suspicion score (3 = known malware string match, 2 = structural pattern match) to aid analyst triage. Requires Windows Security audit policy with Kernel Object subcategory success auditing enabled and QRadar Windows Security Event Log DSM ingesting Event 4663.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise license managers (FlexLM, Sentinel HASP) and DRM solutions that use GUID-format named mutexes for activation state tracking — correlate with software inventory and add known-good process names to the exclusion block
- Microsoft .NET runtime and CLR components that create GUID-based mutex objects internally during application startup — these typically run from %ProgramFiles% or Windows directories but may still trigger on the GUID pattern if process path normalization in payload differs
- Vulnerability scanners and EDR products running internal diagnostics that create short-lived Mutant objects with hex-format names — validate by checking event frequency: malware mutexes are created once at process start, not repeatedly
Other platforms for T1480.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows Named Mutex Creation with Known Malware Name (Embargo)
Expected signal: DeviceEvents with ActionType containing 'Mutex' (if MDE ETW enabled): AdditionalFields will include MutexName='Global\LoadUpOnGunsBringYourFriends', InitiatingProcessFileName='powershell.exe'. Windows Security 4663 with ObjectType='Mutant', ObjectName containing 'LoadUpOnGunsBringYourFriends' (if Kernel Object auditing enabled). Sysmon Event ID 1: Process Create for powershell.exe with the mutex name visible in CommandLine.
- Test 2Windows GUID-Format Mutex from Temp Path (SUNSPOT-Style)
Expected signal: DeviceEvents (MDE): ActionType containing 'Mutex', MutexName='{12d61a41-4b74-7610-a4d8-3028d2f56395}'. Windows Security 4663: ObjectType='Mutant', ObjectName='{12d61a41-4b74-7610-a4d8-3028d2f56395}'. Sysmon EID 1: powershell.exe process create with GUID in CommandLine.
- Test 3Windows Machine-Derived Mutex Name (LockBit 3.0 Pattern)
Expected signal: Sysmon EID 1: PowerShell process create with registry access to HKLM\SOFTWARE\Microsoft\Cryptography visible in ScriptBlock log (EID 4104). DeviceEvents: Mutex creation with Global\<32-char hex string> pattern. DeviceRegistryEvents: HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid read access by powershell.exe.
- Test 4Linux File-Based Mutex via flock() — BPFDoor Pattern
Expected signal: Linux auditd (if syscall auditing enabled): flock() syscall by python3 on /tmp/df00tech-initd.lock with LOCK_EX|LOCK_NB flags. File creation event for /tmp/df00tech-initd.lock by python3 process. /proc/locks shows FLOCK WRITE lock held by python3 PID. MDE DeviceFileEvents: FileCreated action for *.lock file by python3 from non-standard path.
References (10)
- https://attack.mitre.org/techniques/T1480/002/
- https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
- https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
- https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/
- https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
- https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
- https://blog.cyble.com/2024/05/27/embargo-ransomware-new-rust-based-ransomware-group-emerges/
- https://www.justice.gov/opa/pr/joint-cybersecurity-advisory-lockbit-30-ransomware
- https://learn.microsoft.com/en-us/sysinternals/downloads/handle
Unlock Pro Content
Get the full detection package for T1480.002 including response playbook, investigation guide, and atomic red team tests.