title: Mutual Exclusion (T1480.002)
id: df00tech-t1480-002
status: experimental
description: "Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource — only one thread or process can hold a given mutex at a time. By creating a uniquely named system mutex at startup, malware checks whether a prior instance is already running: if the mutex already exists, the new instance silently exits, preventing duplicate infections that could increase analyst visibility. Mutex names may be hard-coded strings (Embargo ransomware uses \"LoadUpOnGunsBringYourFriends\"; SUNSPOT uses a GUID string; Gazer uses \"{531511FA-190D-5D85-8A4A-279F2F592CC7}\"), machine-derived (LockBit 3.0 hashes the host MachineGUID value), or computed from the binary itself (GrimAgent uses the last 64 bytes of its PE file). In Linux environments, malware such as BPFDoor acquires an exclusive file lock on a runtime file — typically in /var/run/ — achieving the same single-instance effect without Windows API calls. Mutex-based execution guardrails indicate operational maturity: they reduce noise from redundant infections and help adversaries maintain stealth during long-dwell campaigns."
references:
  - https://attack.mitre.org/techniques/T1480/002/
  - https://df00tech.com/detections/T1480.002
author: df00tech
date: 2026/04/19
tags:
  - attack.t1480.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate .NET and Java applications using GUID-format named mutexes for single-instance enforcement (e.g., JetBrains IDEs, Adobe products)"
  - "Software installers (NSIS, Inno Setup, WiX-based) that create temporary GUID-named mutexes during installation from user temp directories"
  - "Package managers and system daemons (apt, yum, pip) creating lock files in /var/run/ during update operations"
  - "Database engines (MySQL, PostgreSQL, MongoDB) creating PID files in /var/run/ at daemon startup"
  - "Container runtimes (dockerd, containerd) creating runtime lock and PID files in /var/run/docker/ or /var/run/containerd/"
level: high