Create or check mutex

Hunt Hypothesis

Adversaries may use mutex creation or checking to establish persistence or coordinate malicious activities across multiple processes. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert communication or persistence mechanisms that may evade traditional detection methods.

YARA Rule

rule win_mutex {
    meta:
        author = "x0r"
        description = "Create or check mutex"
    version = "0.1"
    strings:
        $c1 = "CreateMutex"
    condition:
        1 of ($c*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system update or patching tool (e.g., Windows Update, SCCM) creates a mutex to ensure only one instance of the update process runs at a time.
  Filter/Exclusion: Exclude processes related to known patching tools (e.g., wuauserv, svchost.exe with svchost associated with Windows Update).

• Scenario: A scheduled job (e.g., via Task Scheduler) runs a script or application that creates a mutex to prevent multiple instances from executing simultaneously.
  Filter/Exclusion: Exclude processes launched by Task Scheduler (e.g., check Task Scheduler logs or use CommandLine field to identify scheduled tasks).

• Scenario: A legitimate application (e.g., Microsoft Office, Adobe Acrobat) creates a mutex to manage shared resources or prevent multiple instances.
  Filter/Exclusion: Exclude known application mutexes by name (e.g., Global\{some-unique-id} associated with Microsoft Office or Adobe).

• Scenario: An administrator manually creates a mutex using a tool like Mutex Creator or via PowerShell to synchronize processes during maintenance.
  Filter/Exclusion: Exclude processes initiated by administrators using tools like Mutex Creator or check for RunAs or Administrator privileges in the event log.

• Scenario: A database or application server (e.g., SQL Server, Oracle) creates a mutex to manage access to shared resources or prevent race conditions.
  Filter/Exclusion: Exclude processes associated with known database services (e.g., sqlservr.exe, oracle.exe) or check for service account usage.