ID | Name |
---|---|
T1480.001 | Environmental Keying |
T1480.002 | Mutual Exclusion |
Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.[1]
While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.[1] By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.[2]
In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.[3][4]
Mutex names may be hard-coded or dynamically generated using a predictable algorithm.[5]
ID | Name | Description |
---|---|---|
S1070 | Black Basta |
Black Basta will check for the presence of a hard-coded mutex |
S0168 | Gazer |
Gazer creates a mutex using the hard-coded value |
S0632 | GrimAgent |
GrimAgent uses the last 64 bytes of the binary to compute a mutex name. If the generated name is invalid, it will default to the generic |
S0012 | PoisonIvy |
PoisonIvy creates a mutex using either a custom or default value.[9] |
S0496 | REvil |
REvil attempts to create a mutex using a hard-coded value to ensure that no other instances of itself are running on the host.[10] |
S0562 | SUNSPOT |
SUNSPOT creates a mutex using the hard-coded value |
ID | Mitigation | Description |
---|---|---|
M1055 | Do Not Mitigate |
Execution Guardrails likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0022 | File | File Creation |
Monitor for the suspicious creation of lock files – for example, in shared memory directories such as |
DS0009 | Process | OS API Execution |
Monitor for suspicious API calls associated with system mutex creation, such as |