From d1eb7db431a1a7fd2562ebef47987058136c11bd Mon Sep 17 00:00:00 2001
From: Jos <11965973+DfirJos@users.noreply.github.com>
Date: Thu, 10 Aug 2023 10:45:47 +0200
Subject: [PATCH 1/2] Rename Windows.Detection.Registry.yaml to Registry.yaml

Rename to match the format with the other files in that folder.
---
 .../Detection/{Windows.Detection.Registry.yaml => Registry.yaml}  | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename artifacts/definitions/Windows/Detection/{Windows.Detection.Registry.yaml => Registry.yaml} (100%)

diff --git a/artifacts/definitions/Windows/Detection/Windows.Detection.Registry.yaml b/artifacts/definitions/Windows/Detection/Registry.yaml
similarity index 100%
rename from artifacts/definitions/Windows/Detection/Windows.Detection.Registry.yaml
rename to artifacts/definitions/Windows/Detection/Registry.yaml

From e5bd8bd6cc83cf8818bf3553159ae6c63cfe2f74 Mon Sep 17 00:00:00 2001
From: Jos <11965973+DfirJos@users.noreply.github.com>
Date: Thu, 10 Aug 2023 10:48:36 +0200
Subject: [PATCH 2/2] Create Mutants.yaml

---
 .../definitions/Windows/Events/Mutants.yaml   | 50 +++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 artifacts/definitions/Windows/Events/Mutants.yaml

diff --git a/artifacts/definitions/Windows/Events/Mutants.yaml b/artifacts/definitions/Windows/Events/Mutants.yaml
new file mode 100644
index 00000000000..f60484d813e
--- /dev/null
+++ b/artifacts/definitions/Windows/Events/Mutants.yaml
@@ -0,0 +1,50 @@
+name: Windows.Events.Mutants
+description: |
+  This artifact detects creation of Mutants and triggers an alert. 
+
+author: Jos Clephas - @DfirJos
+
+type: CLIENT_EVENT
+
+precondition:
+  SELECT * FROM info() WHERE OS =~ "windows"
+
+parameters:
+  - name: processRegex
+    description: A regex applied to process names.
+    default: .
+    type: regex
+  - name: Period
+    type: int
+    default: 120
+  - name: MutantNameRegex
+    default: EvillMutant
+    type: regex
+  - name: AlertName
+    default: "Suspicious mutex created"
+  - name: diff
+    default: added
+  - name: enrich
+    description: Enrich mutex with process information. Closely monitor the performance impact if you enable this.
+    type: bool
+    default: N
+
+sources:
+    - query: |
+    
+        LET processes = SELECT Pid AS ProcPid, Name AS ProcName, Exe FROM pslist()
+        WHERE ProcName =~ processRegex AND ProcPid > 0
+
+        LET query_mutant = SELECT * FROM winobj() WHERE Type = "Mutant" AND Name =~ MutantNameRegex 
+
+        LET query_enriched = SELECT * FROM foreach(
+          row=processes,
+          query={
+            SELECT ProcPid, ProcName, Exe, Type, Name, Handle
+            FROM handles(pid=ProcPid, types="Mutant")
+          })
+        WHERE Type = "Mutant" AND Name =~ MutantNameRegex
+        
+        LET query_diff = if(condition=enrich, then=query_enriched, else=query_mutant) 
+        
+        SELECT *, alert(name=AlertName, Name=Name, Type=Type, Exe=Exe) as AlertSent FROM diff(query=query_diff, period=Period, key="Name") WHERE Diff = diff