Blank mutex creation assoicated with CRASHOVERRIDE

Hunt Hypothesis

Adversaries may create blank mutexes as part of the CRASHOVERRIDE malware to establish persistence or coordinate malicious activities across processes. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and disrupt adversary operations early.

YARA Rule

rule dragos_crashoverride_weirdMutex {
    meta:
        description = "Blank mutex creation assoicated with CRASHOVERRIDE"
        author = "Dragos Inc"
		reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
    strings:
        $s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 }
        $s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00}
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task (e.g., Task Scheduler or PowerShell job) creates a blank mutex as part of a system maintenance or cleanup process.
  Filter/Exclusion: Check for CommandLine containing schtasks.exe, sfc.exe, or DISM.exe, or filter by ProcessName matching TaskScheduler or PowerShell.

• Scenario: Windows Service Initialization
  Description: A legitimate Windows service (e.g., SQL Server, IIS, or Windows Update) creates a blank mutex during initialization to synchronize service components.
  Filter/Exclusion: Filter by ProcessName such as sqlservr.exe, w3wp.exe, or svchost.exe, or check for ImageFileName matching known service binaries.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: An endpoint protection tool (e.g., Windows Defender, Kaspersky, or Bitdefender) creates a blank mutex during a full system scan to prevent multiple instances.
  Filter/Exclusion: Check for CommandLine containing MpCmdRun.exe, MsMpEng.exe, or KavService.exe, or filter by ProcessName matching known antivirus processes.

• Scenario: Administrative Tool for System Configuration
  Description: An admin tool (e.g., Group Policy Management Console, Registry Editor, or Local Group Policy) creates a blank mutex when applying configuration changes.
  Filter/Exclusion: Filter by CommandLine containing gpedit.msc, regedit.exe, or gpmc.msc, or check for User field indicating a domain admin or system account.

• Scenario: Legacy Application Mutex Initialization
  Description: A legacy enterprise application (e