Execution Guardrails: Mutual Exclusion (T1480.002)

Tactic: Stealth · Platforms: Linux, macOS, Windows

The interactive view maps 1 detection strategy, 1 mitigation, 2 threat groups, 18 software entries to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of Execution Guardrails (T1480).

Overview

Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.

While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes. By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.

In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.

Mutex names may be hard-coded or dynamically generated using a predictable algorithm.

Explore