1. Home
  2. Techniques
  3. Enterprise
  4. Execution Guardrails
  5. Mutual Exclusion

Execution Guardrails: Mutual Exclusion

ID Name
T1480.001 Environmental Keying
T1480.002 Mutual Exclusion

Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.[1]

While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.[1] By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.[2]

In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.[3][4]

Mutex names may be hard-coded or dynamically generated using a predictable algorithm.[5]

ID: T1480.002
Sub-technique of:  T1480
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Manikantan Srinivasan, NEC Corporation India; Nagahama Hiroki – NEC Corporation Japan; Pooja Natarajan, NEC Corporation India
Version: 1.0
Created: 19 September 2024
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
G0082 APT38

APT38 has created a mutex to avoid duplicate execution.[6]

S1070 Black Basta

Black Basta will check for the presence of a hard-coded mutex dsajdhas.0 before executing.[7]
S1161 BPFDoor

When executed, BPFDoor attempts to create and lock a runtime file, /var/run/initd.lock, and exits if it fails using the specified file, resulting in a makeshift mutex.[4]
S0168 Gazer

Gazer creates a mutex using the hard-coded value {531511FA-190D-5D85-8A4A-279F2F592CC7} to ensure that only one instance of itself is running.[8]
S0632 GrimAgent

GrimAgent uses the last 64 bytes of the binary to compute a mutex name. If the generated name is invalid, it will default to the generic mymutex.[9]
S1202 LockBit 3.0

LockBit 3.0 can create and check for a mutex containing a hash of the MachineGUID value at execution to prevent running more than one instance.[10]
S0012 PoisonIvy

PoisonIvy creates a mutex using either a custom or default value.[11]
S0496 REvil

REvil attempts to create a mutex using a hard-coded value to ensure that no other instances of itself are running on the host.[12]
S1183 StrelaStealer

StrelaStealer variants include the use of mutex values based on the victim system name to prevent reinfection.[13]
S0562 SUNSPOT

SUNSPOT creates a mutex using the hard-coded value {12d61a41-4b74-7610-a4d8-3028d2f56395} to ensure that only one instance of itself is running.[14]

S1196 Troll Stealer

Troll Stealer creates a mutex during installation to prevent duplicate execution.[15]

Mitigations

ID Mitigation Description
M1055 Do Not Mitigate

Execution Guardrails likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.

Detection

ID Data Source Data Component Detects
DS0022 File File Creation

Monitor for the suspicious creation of lock files – for example, in shared memory directories such as /var/run.[16]
DS0009 Process OS API Execution

Monitor for suspicious API calls associated with system mutex creation, such as CreateMutex/CreateMutexA on Windows systems.[17] For example, it is rare for legitimate programs to create random mutex names.[2] Additionally, monitor for suspicious syscalls associated with lock files, such as flock on Linux.

References

  1. Microsoft. (2022, March 11). Mutexes. Retrieved September 19, 2024.
  2. Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.
  3. Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved September 19, 2024.
  4. Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September 19, 2024.
  5. Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names to Evade Detection. Retrieved September 19, 2024.
  6. SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.
  7. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
  8. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  9. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  1. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
  2. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved September 19, 2024.
  3. SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12
  4. Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024.
  5. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  6. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
  7. Elastic. (n.d.). Abnormal Process ID or Lock File Created. Retrieved September 19, 2024.
  8. Microsoft. (2023, February 8). CreateMutexA function (synchapi.h). Retrieved September 19, 2024.