Detect Mutual Exclusion in Sumo Logic CSE
Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource — only one thread or process can hold a given mutex at a time. By creating a uniquely named system mutex at startup, malware checks whether a prior instance is already running: if the mutex already exists, the new instance silently exits, preventing duplicate infections that could increase analyst visibility. Mutex names may be hard-coded strings (Embargo ransomware uses "LoadUpOnGunsBringYourFriends"; SUNSPOT uses a GUID string; Gazer uses "{531511FA-190D-5D85-8A4A-279F2F592CC7}"), machine-derived (LockBit 3.0 hashes the host MachineGUID value), or computed from the binary itself (GrimAgent uses the last 64 bytes of its PE file). In Linux environments, malware such as BPFDoor acquires an exclusive file lock on a runtime file — typically in /var/run/ — achieving the same single-instance effect without Windows API calls. Mutex-based execution guardrails indicate operational maturity: they reduce noise from redundant infections and help adversaries maintain stealth during long-dwell campaigns.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1480 Execution Guardrails
- Sub-technique
- T1480.002 Mutual Exclusion
- Canonical reference
- https://attack.mitre.org/techniques/T1480/002/
Sumo Detection Query
// Branch 1: Windows Mutant Object Access via Security Event 4663
// Run against Windows Security sourcecategory
(_sourceCategory=windows/security OR _sourceCategory=*WinEventLog*Security* OR _sourceCategory=*winlogbeat*)
| where EventCode = "4663" OR EventID = "4663"
| parse regex field=_raw "ObjectType:\s+(?P<ObjectType>[^\r\n]+)" nodrop
| parse regex field=_raw "Object Name:\s+(?P<ObjectName>[^\r\n]+)" nodrop
| parse regex field=_raw "Process Name:\s+(?P<ProcessName>[^\r\n]+)" nodrop
| parse regex field=_raw "Process ID:\s+(?P<ProcessId>[^\r\n]+)" nodrop
| parse regex field=_raw "Account Name:\s+(?P<SubjectUser>[^\r\n]+)" nodrop
| where ObjectType = "Mutant"
| where ObjectName = "LoadUpOnGunsBringYourFriends"
OR ObjectName = "mymutex"
OR ObjectName = "{12d61a41-4b74-7610-a4d8-3028d2f56395}"
OR ObjectName = "{531511FA-190D-5D85-8A4A-279F2F592CC7}"
OR ObjectName = "I_am_an_unique_mutex"
OR ObjectName = "Global\\TermService_alive"
OR ObjectName = "Global\\MS_HIDDENCLK_R"
OR ObjectName matches /^\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}$/
OR ObjectName matches /^Global\\[0-9A-Fa-f]{32}$/
| where !(ProcessName matches /(?i)(svchost|services|lsass|MsMpEng|SenseIR|msiexec|TiWorker|TrustedInstaller)\.exe$/)
| eval SuspicionScore = if(ObjectName = "LoadUpOnGunsBringYourFriends" OR ObjectName = "mymutex" OR ObjectName = "I_am_an_unique_mutex" OR ObjectName = "Global\\TermService_alive" OR ObjectName = "Global\\MS_HIDDENCLK_R", 3,
if(ObjectName matches /^\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\}$/ OR ObjectName matches /^Global\\[0-9A-Fa-f]{32}$/, 2, 1))
| eval DetectionBranch = "WindowsMutantAccess"
| fields _messageTime, _sourceHost, SubjectUser, ProcessName, ProcessId, ObjectName, SuspicionScore, DetectionBranch
| sort by SuspicionScore desc, _messageTime desc
// Branch 2: Linux Lock File Creation by Untrusted Process — deploy as separate saved search
// Run against Linux audit sourcecategory
(_sourceCategory=linux/audit OR _sourceCategory=*auditd*)
| where syscall IN ("flock", "fcntl", "open", "openat")
| where name matches "/var/run/*.lock"
OR name matches "/var/lock/*.lock"
OR name matches "/var/run/*.pid"
OR name matches "/var/run/*.run"
| where !(exe matches /^(\/usr\/sbin\/|\/usr\/bin\/|\/usr\/lib\/|\/lib\/systemd\/|\/sbin\/|\/bin\/).*$/)
| where !(exe matches /(systemd|init|chronyd|sshd|crond|cron|rsyslogd|dbus-daemon|NetworkManager|nginx|apache2|mysqld|postgres|postfix|auditd|dockerd|containerd|kubelet)$/)
| eval ProcessName = replace(exe, ".*/", "")
| eval SuspicionScore = 2
| eval DetectionBranch = "LinuxFileLock"
| fields _messageTime, _sourceHost, ProcessName, exe, uid, name, syscall, SuspicionScore, DetectionBranch
| sort by _messageTime descDetects T1480.002 mutual exclusion guardrails via two Sumo Logic search branches. Branch 1 parses Windows Security Event 4663 from Windows/Security sourcecategory, filtering to Mutant object type and matching known malware mutex names (Embargo, GrimAgent, SUNSPOT, Gazer) plus GUID and hex-format structural patterns, excluding known system processes. Branch 2 searches Linux auditd events for flock/fcntl/open/openat syscalls against /var/run/ and /var/lock/ lock files by processes outside standard system binary paths — the single-instance technique used by BPFDoor and RedXOR. Each branch assigns a SuspicionScore (3 = known malware name, 2 = pattern or Linux lockfile) for analyst triage prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Third-party enterprise applications (AutoCAD, SolidWorks, Adobe) running from standard Program Files paths that use GUID mutex names for single-instance enforcement — add process name OR process path conditions to the exclusion block after baselining
- Configuration management agents (Puppet, Chef, SaltStack) deployed to /opt/ or /usr/local/bin/ that create lock files in /var/run/ during run locks — extend the exe path exclusion regex to cover trusted third-party agent paths
- Python or Ruby runtime applications that create /var/run/*.pid files for daemon management when deployed outside standard system paths — tune by correlating with known application deployment inventory and adding specific executable patterns
Other platforms for T1480.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows Named Mutex Creation with Known Malware Name (Embargo)
Expected signal: DeviceEvents with ActionType containing 'Mutex' (if MDE ETW enabled): AdditionalFields will include MutexName='Global\LoadUpOnGunsBringYourFriends', InitiatingProcessFileName='powershell.exe'. Windows Security 4663 with ObjectType='Mutant', ObjectName containing 'LoadUpOnGunsBringYourFriends' (if Kernel Object auditing enabled). Sysmon Event ID 1: Process Create for powershell.exe with the mutex name visible in CommandLine.
- Test 2Windows GUID-Format Mutex from Temp Path (SUNSPOT-Style)
Expected signal: DeviceEvents (MDE): ActionType containing 'Mutex', MutexName='{12d61a41-4b74-7610-a4d8-3028d2f56395}'. Windows Security 4663: ObjectType='Mutant', ObjectName='{12d61a41-4b74-7610-a4d8-3028d2f56395}'. Sysmon EID 1: powershell.exe process create with GUID in CommandLine.
- Test 3Windows Machine-Derived Mutex Name (LockBit 3.0 Pattern)
Expected signal: Sysmon EID 1: PowerShell process create with registry access to HKLM\SOFTWARE\Microsoft\Cryptography visible in ScriptBlock log (EID 4104). DeviceEvents: Mutex creation with Global\<32-char hex string> pattern. DeviceRegistryEvents: HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid read access by powershell.exe.
- Test 4Linux File-Based Mutex via flock() — BPFDoor Pattern
Expected signal: Linux auditd (if syscall auditing enabled): flock() syscall by python3 on /tmp/df00tech-initd.lock with LOCK_EX|LOCK_NB flags. File creation event for /tmp/df00tech-initd.lock by python3 process. /proc/locks shows FLOCK WRITE lock held by python3 PID. MDE DeviceFileEvents: FileCreated action for *.lock file by python3 from non-standard path.
References (10)
- https://attack.mitre.org/techniques/T1480/002/
- https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
- https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
- https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/
- https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
- https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
- https://blog.cyble.com/2024/05/27/embargo-ransomware-new-rust-based-ransomware-group-emerges/
- https://www.justice.gov/opa/pr/joint-cybersecurity-advisory-lockbit-30-ransomware
- https://learn.microsoft.com/en-us/sysinternals/downloads/handle
Unlock Pro Content
Get the full detection package for T1480.002 including response playbook, investigation guide, and atomic red team tests.