Execution Guardrails: Mutual Exclusion

ID Name
T1480.001 Environmental Keying
T1480.002 Mutual Exclusion

Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.[1]

While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.[1] By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.[2]

In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.[3][4]

Mutex names may be hard-coded or dynamically generated using a predictable algorithm.[5]

ID: T1480.002
Sub-technique of:  T1480
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Manikantan Srinivasan, NEC Corporation India; Nagahama Hiroki – NEC Corporation Japan; Pooja Natarajan, NEC Corporation India
Version: 1.0
Created: 19 September 2024
Last Modified: 28 October 2024

Procedure Examples

ID Name Description
S1070 Black Basta

Black Basta will check for the presence of a hard-coded mutex dsajdhas.0 before executing.[6]

S0168 Gazer

Gazer creates a mutex using the hard-coded value {531511FA-190D-5D85-8A4A-279F2F592CC7} to ensure that only one instance of itself is running.[7]

S0632 GrimAgent

GrimAgent uses the last 64 bytes of the binary to compute a mutex name. If the generated name is invalid, it will default to the generic mymutex.[8]

S0012 PoisonIvy

PoisonIvy creates a mutex using either a custom or default value.[9]

S0496 REvil

REvil attempts to create a mutex using a hard-coded value to ensure that no other instances of itself are running on the host.[10]

S0562 SUNSPOT

SUNSPOT creates a mutex using the hard-coded value {12d61a41-4b74-7610-a4d8-3028d2f56395} to ensure that only one instance of itself is running.[11]

Mitigations

ID Mitigation Description
M1055 Do Not Mitigate

Execution Guardrails likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.

Detection

ID Data Source Data Component Detects
DS0022 File File Creation

Monitor for the suspicious creation of lock files – for example, in shared memory directories such as /var/run.[12]

DS0009 Process OS API Execution

Monitor for suspicious API calls associated with system mutex creation, such as CreateMutex/CreateMutexA on Windows systems.[13] For example, it is rare for legitimate programs to create random mutex names.[2] Additionally, monitor for suspicious syscalls associated with lock files, such as flock on Linux.

References