security
SECURITY RUNBOOK
Tamper resistance, sandboxing, remote scan policy, and security deep dives.
Context Rail
Tags and Themes
On This Page
- 1. Purpose
- 1.1 Source-of-Truth Alignment
- 2. Primary Runtime Events
- 3. Key Controls
- 3.1 Policy Controls
- 3.2 Probe Controls
- 3.3 Telemetry Controls
- 4. First 10 Minutes Checklist
- 5. Event-by-Event Triage
- 5.1 signature_failed
- 5.2 debugger_detected
- 5.3 sandbox_detected
- 5.4 process_protection_detected
- 5.5 integrity_failed
- 6. Severity Guidance
- 7. Evidence Collection Snippets
- 7.1 PowerShell
- 7.2 Linux
- 8. Recovery Rules
- 9. Common Policy and Environment Combinations
- 9.1 Production Strict (Fail Closed)
- 9.2 Production Standard (Balanced)
- 9.3 Investigation Mode (Delay + Observe)
- 9.4 Compatibility Triage (Temporary)
- 9.5 Probe Off (Debug Baseline)
- 9.6 Linux Example (Strict)
- 9.7 Reset to Defaults
1. Purpose
This runbook explains how to triage and respond to Mutant runtime security events using current code behavior.
1.1 Source-of-Truth Alignment
This runbook is operational guidance. When any statement here conflicts with low-level design, treat the following as authoritative and update this file:
- SECURITY_LLD
- SECURITY_LLD_TRACEABILITY
- ANTITAMPER_PROBE_ENABLEMENT_LLD
- BINARY_ARTIFACT_SECURITY_DEEP_DIVE
- REMOTE_PROCESS_SCAN_DEEP_DIVE
Alignment rules:
- Keep mode and policy semantics identical to LLD definitions.
- Keep runtime configuration setting names and defaults identical to implementation.
- Avoid introducing undocumented flags or implied capabilities.
2. Primary Runtime Events
- signature_failed
- debugger_detected
- sandbox_detected
- process_protection_detected
- integrity_failed
- anti_tamper_probe_error
- remote_process_scan_error
- remote_process_suspicious
- remote_process_critical
- command_blocked
- command_failed
3. Key Controls
3.1 Policy Controls
runtime setting=warn|delay|terminateruntime setting= delay duration (0..5000)runtime setting=minimal|standard|paranoid--signer-authenables trusted signer verification in secure mode.
3.2 Probe Controls
runtime setting=1enables anti-tamper probe execution.runtime settingcontrols runner process-protection enforcement when probes are enabled.runtime setting=1enables remote scan manager execution.runtime setting=off|observe|enforcecontrols block vs observe behavior.runtime settingandruntime settingtune scan scope.
3.3 Telemetry Controls
runtime setting=1emits audit lines to stderr.runtime setting=<path>exports JSON telemetry snapshot on exit.
4. First 10 Minutes Checklist
- Capture stderr output including
[security]and[security-audit]lines. - Save telemetry JSON if enabled.
- Record mode/profile/env values (
MUTANT_*). - Record artifact hash and executable hash.
- Identify whether event is isolated or fleet-wide.
5. Event-by-Event Triage
5.1 signature_failed
- Verify trusted signer key configuration.
- Confirm artifact source and release pipeline integrity.
- In production, keep terminate posture until signer chain is trusted.
5.2 debugger_detected
- Check whether debugger activity is expected for host role.
- Correlate with signature/integrity/process-protection events.
- If unexpected in production, isolate and redeploy trusted artifact.
5.3 sandbox_detected
- Confirm host classification (real host vs test sandbox).
- Validate if sandbox execution was intended.
- For production, treat unexplained sandbox signals as suspicious.
5.4 process_protection_detected
- Confirm anti-tamper probe gate was enabled.
- Review probe signal details and confidence values.
- On repeated high-confidence hits, isolate host and inspect instrumentation/hooking context.
5.5 integrity_failed
- Treat as potential active tampering.
- Isolate host and preserve evidence.
- Re-run artifact on known-clean host to differentiate artifact vs environment compromise.
6. Severity Guidance
- integrity_failed: critical baseline
- signature_failed: high baseline
- process_protection_detected: high baseline
- debugger_detected: medium baseline
- sandbox_detected: medium baseline
- anti_tamper_probe_error: low to medium (depends on environment)
Production guidance:
- Never downgrade integrity failures below high severity.
- Keep explicit exceptions narrow, temporary, and documented.
7. Evidence Collection Snippets
7.1 PowerShell
$ts = Get-Date -Format "yyyyMMdd-HHmmss"
$dir = "./incident-$ts"
New-Item -ItemType Directory -Path $dir | Out-Null
Get-ChildItem MUTANT_* | Out-File "$dir/env.txt"
Get-FileHash .\mutant.exe -Algorithm SHA256 | Out-File "$dir/hashes.txt"
if (Test-Path .\telemetry.json) { Copy-Item .\telemetry.json "$dir/telemetry.json" }
7.2 Linux
ts=$(date +%Y%m%d-%H%M%S)
dir=incident-$ts
mkdir -p "$dir"
env | grep '^MUTANT_' > "$dir/env.txt"
sha256sum ./mutant > "$dir/hashes.txt"
[ -f ./telemetry.json ] && cp ./telemetry.json "$dir/telemetry.json"
8. Recovery Rules
- Recover only from trusted, re-verified artifacts.
- Do not globally relax policy to solve one false positive.
- Prefer scoped allowlists and short-lived exceptions.
- Track post-incident hardening actions in backlog.
9. Common Policy and Environment Combinations
Use these presets as starting points. Prefer short-lived overrides and document every change in incident notes.
9.1 Production Strict (Fail Closed)
Use when running trusted release artifacts in production.
runtime setting = "terminate"
runtime setting = "paranoid"
runtime setting = "1"
runtime setting = "1"
runtime setting = "1"
runtime setting = ".\telemetry.json"
9.2 Production Standard (Balanced)
Use for broad production rollout with strong defaults and lower friction.
runtime setting = "terminate"
runtime setting = "standard"
runtime setting = "1"
runtime setting = "1"
runtime setting = "1"
9.3 Investigation Mode (Delay + Observe)
Use during controlled triage when you need more evidence before termination.
runtime setting = "delay"
runtime setting = "1500"
runtime setting = "standard"
runtime setting = "1"
runtime setting = "1"
runtime setting = "1"
runtime setting = ".\telemetry.json"
9.4 Compatibility Triage (Temporary)
Use only for short-lived false-positive isolation and root-cause analysis.
runtime setting = "warn"
runtime setting = "minimal"
runtime setting = "1"
runtime setting = "0"
runtime setting = "1"
9.5 Probe Off (Debug Baseline)
Use to separate probe-related signals from other runtime controls.
runtime setting = "0"
runtime setting = "0"
runtime setting = "warn"
9.6 Linux Example (Strict)
export runtime setting=terminate
export runtime setting=paranoid
export runtime setting=1
export runtime setting=1
export runtime setting=1
export runtime setting=./telemetry.json
9.7 Reset to Defaults
Remove-Item runtime setting -ErrorAction SilentlyContinue
Remove-Item runtime setting -ErrorAction SilentlyContinue
Remove-Item runtime setting -ErrorAction SilentlyContinue
Remove-Item runtime setting -ErrorAction SilentlyContinue
Remove-Item runtime setting -ErrorAction SilentlyContinue
Remove-Item runtime setting -ErrorAction SilentlyContinue
Remove-Item runtime setting -ErrorAction SilentlyContinue