T1480.002 Microsoft Sentinel · KQL

Detect Mutual Exclusion in Microsoft Sentinel

Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource — only one thread or process can hold a given mutex at a time. By creating a uniquely named system mutex at startup, malware checks whether a prior instance is already running: if the mutex already exists, the new instance silently exits, preventing duplicate infections that could increase analyst visibility. Mutex names may be hard-coded strings (Embargo ransomware uses "LoadUpOnGunsBringYourFriends"; SUNSPOT uses a GUID string; Gazer uses "{531511FA-190D-5D85-8A4A-279F2F592CC7}"), machine-derived (LockBit 3.0 hashes the host MachineGUID value), or computed from the binary itself (GrimAgent uses the last 64 bytes of its PE file). In Linux environments, malware such as BPFDoor acquires an exclusive file lock on a runtime file — typically in /var/run/ — achieving the same single-instance effect without Windows API calls. Mutex-based execution guardrails indicate operational maturity: they reduce noise from redundant infections and help adversaries maintain stealth during long-dwell campaigns.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1480 Execution Guardrails
Sub-technique
T1480.002 Mutual Exclusion
Canonical reference
https://attack.mitre.org/techniques/T1480/002/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let KnownMalwareMutexes = dynamic([
    "LoadUpOnGunsBringYourFriends",                   // Embargo ransomware (Cyble 2024)
    "mymutex",                                        // GrimAgent default fallback
    "{12d61a41-4b74-7610-a4d8-3028d2f56395}",         // SUNSPOT (SolarWinds intrusion)
    "{531511FA-190D-5D85-8A4A-279F2F592CC7}",         // Gazer backdoor (Turla)
    "I_am_an_unique_mutex",
    "Global\\TermService_alive",
    "Global\\MS_HIDDENCLK_R"
]);
let SuspiciousProcessPaths = dynamic([
    "\\AppData\\Roaming\\",
    "\\AppData\\Local\\Temp\\",
    "\\Users\\Public\\",
    "\\ProgramData\\",
    "\\Windows\\Temp\\",
    "\\Recycle"
]);
let TrustedSystemProcesses = dynamic([
    "svchost.exe", "services.exe", "lsass.exe", "MsMpEng.exe",
    "SenseIR.exe", "msiexec.exe", "TiWorker.exe", "TrustedInstaller.exe"
]);
// Branch 1: Direct mutex telemetry via MDE enhanced ETW (Defender for Endpoint P2)
let MutexEvents = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType has "Mutex" or ActionType has "Mutant"
| extend MutexName = coalesce(
    tostring(parse_json(AdditionalFields).MutexName),
    tostring(parse_json(AdditionalFields).ObjectName),
    tostring(parse_json(AdditionalFields).Name)
  )
| where isnotempty(MutexName)
| where MutexName has_any (KnownMalwareMutexes)
    or (
        MutexName matches regex @"^\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}$"
        and not (InitiatingProcessFileName in~ (TrustedSystemProcesses))
        and InitiatingProcessFolderPath has_any (SuspiciousProcessPaths)
    )
    or (
        MutexName matches regex @"^Global\\\\[0-9a-fA-F]{32}$"
        and InitiatingProcessFolderPath has_any (SuspiciousProcessPaths)
    )
| project
    Timestamp,
    DeviceName,
    AccountName = InitiatingProcessAccountName,
    ProcessName = InitiatingProcessFileName,
    ProcessPath = InitiatingProcessFolderPath,
    ProcessCommandLine = InitiatingProcessCommandLine,
    MutexName,
    ParentProcess = InitiatingProcessParentFileName,
    DetectionBranch = "MutexAPIEvent";
// Branch 2: Linux-style lock file creation in /var/run/ or /var/lock/ by non-system processes
// Matches BPFDoor (/var/run/initd.lock) and RedXOR patterns
let LockFileEvents = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FolderPath startswith "/var/run/" or FolderPath startswith "/var/lock/"
| where FileName endswith ".lock" or FileName endswith ".pid" or FileName endswith ".run"
| where not (InitiatingProcessFileName in~ (
    "systemd", "init", "chronyd", "sshd", "crond", "cron",
    "rsyslogd", "dbus-daemon", "NetworkManager", "nginx",
    "apache2", "httpd", "mysqld", "postgres", "postfix",
    "auditd", "dockerd", "containerd", "kubelet"
  ))
| where not (
    InitiatingProcessFolderPath startswith "/usr/sbin/"
    or InitiatingProcessFolderPath startswith "/usr/bin/"
    or InitiatingProcessFolderPath startswith "/usr/lib/"
    or InitiatingProcessFolderPath startswith "/lib/systemd/"
    or InitiatingProcessFolderPath startswith "/sbin/"
    or InitiatingProcessFolderPath startswith "/bin/"
  )
| project
    Timestamp,
    DeviceName,
    AccountName = InitiatingProcessAccountName,
    ProcessName = InitiatingProcessFileName,
    ProcessPath = InitiatingProcessFolderPath,
    ProcessCommandLine = InitiatingProcessCommandLine,
    MutexName = strcat(FolderPath, "/", FileName),
    ParentProcess = InitiatingProcessParentFileName,
    DetectionBranch = "LinuxLockFile";
union MutexEvents, LockFileEvents
| sort by Timestamp desc
high severity medium confidence

Multi-branch detection for T1480.002 mutex-based execution guardrails across Windows and Linux. Branch 1 queries DeviceEvents for mutex creation events matching known malware mutex names (Embargo, SUNSPOT, Gazer) or suspicious GUID/hex-format global mutexes created from user-writable paths by non-trusted system processes. Requires Microsoft Defender for Endpoint P2 with enhanced ETW telemetry. Branch 2 detects Linux-style file-based mutex creation in /var/run/ or /var/lock/ by processes outside standard system binary directories, targeting the BPFDoor /var/run/initd.lock and RedXOR file-locking patterns. GUID-format mutexes from trusted installer paths are excluded to reduce installer false positives.

Data Sources

Process: OS API ExecutionFile: File CreationMicrosoft Defender for Endpoint (enhanced ETW)

Required Tables

DeviceEventsDeviceFileEvents

False Positives & Tuning

  • Legitimate .NET and Java applications using GUID-format named mutexes for single-instance enforcement (e.g., JetBrains IDEs, Adobe products)
  • Software installers (NSIS, Inno Setup, WiX-based) that create temporary GUID-named mutexes during installation from user temp directories
  • Package managers and system daemons (apt, yum, pip) creating lock files in /var/run/ during update operations
  • Database engines (MySQL, PostgreSQL, MongoDB) creating PID files in /var/run/ at daemon startup
  • Container runtimes (dockerd, containerd) creating runtime lock and PID files in /var/run/docker/ or /var/run/containerd/
Download portable Sigma rule (.yml)

Other platforms for T1480.002

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows Named Mutex Creation with Known Malware Name (Embargo)

    Expected signal: DeviceEvents with ActionType containing 'Mutex' (if MDE ETW enabled): AdditionalFields will include MutexName='Global\LoadUpOnGunsBringYourFriends', InitiatingProcessFileName='powershell.exe'. Windows Security 4663 with ObjectType='Mutant', ObjectName containing 'LoadUpOnGunsBringYourFriends' (if Kernel Object auditing enabled). Sysmon Event ID 1: Process Create for powershell.exe with the mutex name visible in CommandLine.

  2. Test 2Windows GUID-Format Mutex from Temp Path (SUNSPOT-Style)

    Expected signal: DeviceEvents (MDE): ActionType containing 'Mutex', MutexName='{12d61a41-4b74-7610-a4d8-3028d2f56395}'. Windows Security 4663: ObjectType='Mutant', ObjectName='{12d61a41-4b74-7610-a4d8-3028d2f56395}'. Sysmon EID 1: powershell.exe process create with GUID in CommandLine.

  3. Test 3Windows Machine-Derived Mutex Name (LockBit 3.0 Pattern)

    Expected signal: Sysmon EID 1: PowerShell process create with registry access to HKLM\SOFTWARE\Microsoft\Cryptography visible in ScriptBlock log (EID 4104). DeviceEvents: Mutex creation with Global\<32-char hex string> pattern. DeviceRegistryEvents: HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid read access by powershell.exe.

  4. Test 4Linux File-Based Mutex via flock() — BPFDoor Pattern

    Expected signal: Linux auditd (if syscall auditing enabled): flock() syscall by python3 on /tmp/df00tech-initd.lock with LOCK_EX|LOCK_NB flags. File creation event for /tmp/df00tech-initd.lock by python3 process. /proc/locks shows FLOCK WRITE lock held by python3 PID. MDE DeviceFileEvents: FileCreated action for *.lock file by python3 from non-standard path.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1480.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1480Execution Guardrails

Related Sub-techniques

T1480.001Environmental Keying

Related Techniques

T1480Execution GuardrailsT1480.001Environmental KeyingT1036MasqueradingT1055Process InjectionT1543.003Windows ServiceT1053.005Scheduled TaskT1027Obfuscated Files or InformationT1082System Information DiscoveryT1486Data Encrypted for ImpactT1071Application Layer Protocol

Same Tactic: Defense Evasion

Popular Detections