1. Home
  2. Detection Strategies
  3. Detection of Mutex-Based Execution Guardrails Across Platforms

Detection of Mutex-Based Execution Guardrails Across Platforms

Technique Detected:  Mutual Exclusion | T1480.002

ID: DET0132
Domains: Enterprise
Analytics: AN0372, AN0373, AN0374
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0372

Adversary-created named mutex using system APIs (e.g., CreateMutexW) followed by conditional process termination or alternate code path indicating malware avoiding reinfection.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Mutable Elements
Field Description
mutex_name_entropy_threshold Filter out common benign mutex names; highlight suspicious high-entropy/dynamic names.
parent_process_path Limit alerting to non-standard parent-child relationships indicative of malware staging or self-spawning.
TimeWindow Correlate mutex creation + rapid process exit or lack of further activity within a short timeframe.

AN0373

File lock acquired via open() + flock() or lockf() on predictable path (e.g., /tmp/.lock123) followed by conditional early exit or divergent process behavior.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL open, flock, fcntl, unlink
Process Termination (DC0033) auditd:SYSCALL exit_group
Mutable Elements
Field Description
lockfile_path_regex Detect patterns like /tmp/.lock*, /var/run/*lock used by malware.
exit_code Track specific exit codes (e.g., 1, 2) that signal lock acquisition failure.
TimeWindow Correlate lockfile access + early process termination within N seconds.

AN0374

User-mode application uses flock() or NSDistributedLock to gain exclusive access to a resource file (e.g., /tmp/guard.lock), conditional logic alters execution if already locked.

Log Sources
Data Component Name Channel
OS API Execution (DC0021) macos:unifiedlog flock|NSDistributedLock|FileHandle.*lockForWriting
Process Termination (DC0033) macos:unifiedlog process.*exit.*code
Mutable Elements
Field Description
lockfile_path Path to mutex file (e.g., /tmp/*, /private/tmp/*), tune per environment.
user_context Flag non-user processes using these APIs.
TimeWindow Detection correlation across short time intervals between lock attempt and process exit.