T1564.011

Ignore Process Interrupts

Adversaries evade defensive mechanisms by launching processes immune to interrupt signals, preventing analyst-driven or system-triggered termination. The primary technique is nohup on Linux and macOS, which detaches a process from the controlling terminal and causes it to ignore SIGHUP—the hangup signal sent when a session ends or a terminal closes. Malware authors also call signal() or sigaction() directly to mask SIGINT, SIGTERM, SIGPIPE, SIGCHLD, and other control signals, as documented in BPFDoor (masks 7 signals) and BOLDMOVE (masks SIGCHLD, SIGHUP, SIGPIPE). On Windows, PowerShell's -ErrorAction SilentlyContinue or $ErrorActionPreference = 'SilentlyContinue' prevents script termination on errors, allowing malicious payloads to continue past failures that would otherwise halt execution. Real-world usage includes GoldMax Linux variant (nohup invocation for C2 persistence through SSH disconnection), UNC3886 (nohup /bin/support in /etc/init.d/localnet for semi-persistence across reboots), Sea Turtle running SnappyTCP via nohup, and OSX/Shlayer applying nohup to payload execution on macOS. Unlike Trap (T1546.005), this technique does not re-invoke the process after termination—it only prolongs the existing execution session through events that would otherwise end it.

Microsoft Sentinel / Defender

kusto

let LookbackPeriod = 24h;
let SuspiciousNohupPayloads = dynamic([
    "/tmp/", "/var/tmp/", "/dev/shm/", "/run/",
    "nc ", "ncat ", "netcat", "socat",
    "python", "perl", "ruby",
    "bash -i", "sh -i", "dash -i",
    "chmod", "curl ", "wget ",
    "/etc/init.d/", "/etc/rc.", "/etc/cron"
]);
let PSErrorSuppressionTerms = dynamic([
    "SilentlyContinue", "ErrorActionPreference",
    "-ErrorAction Ignore", "-EA Ignore",
    "-ErrorAction SilentlyContinue", "-EA SilentlyContinue"
]);
let PSMaliciousIndicators = dynamic([
    "Invoke-WebRequest", "IWR ", "Net.WebClient", "DownloadString", "DownloadFile",
    "Invoke-Expression", "IEX(", "IEX ", "-EncodedCommand", "-enc ",
    "Start-BitsTransfer", "schtasks", "sc create", "reg add",
    "New-Service", "Set-MpPreference", "Add-MpPreference",
    "Invoke-Mimikatz", "certutil"
]);
// Linux/macOS: nohup process creation or processes whose parent is nohup
let NohupExecution = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where FileName == "nohup"
    or InitiatingProcessFileName == "nohup"
    or (ProcessCommandLine matches regex @"(?i)\bnohup\s+\S" 
        and FileName in~ ("bash", "sh", "dash", "zsh", "ksh", "python3", "python", "perl", "ruby"))
| extend IsNohupParent = InitiatingProcessFileName == "nohup"
| extend BackgroundExecution = ProcessCommandLine has "&"
| extend TempDirPayload = ProcessCommandLine has_any ("/tmp/", "/var/tmp/", "/dev/shm/")
| extend SuspiciousNetTool = ProcessCommandLine has_any ("nc ", "ncat ", "netcat", "socat")
| extend InteractiveShell = ProcessCommandLine has_any ("bash -i", "sh -i", "dash -i", "/bin/bash -c", "/bin/sh -c")
| extend PersistencePath = ProcessCommandLine has_any ("/etc/init.d/", "/etc/rc.", "/etc/cron", "/etc/profile", "~/.bashrc", "~/.bash_profile")
| extend SuspiciousPayload = ProcessCommandLine has_any (SuspiciousNohupPayloads)
| extend SuspicionScore = toint(BackgroundExecution) + toint(TempDirPayload) + toint(SuspiciousNetTool) + toint(InteractiveShell) + toint(PersistencePath)
| extend DetectionType = "nohup_interrupt_ignore";
// Windows: PowerShell executing with error suppression combined with malicious patterns
let PSErrorSuppression = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (PSErrorSuppressionTerms)
| extend HasMaliciousIndicator = ProcessCommandLine has_any (PSMaliciousIndicators)
| extend HasEncodedCommand = ProcessCommandLine has_any ("-EncodedCommand", "-enc ", "-e ")
| extend HasDownloadCradle = ProcessCommandLine has_any ("Invoke-WebRequest", "Net.WebClient", "DownloadString", "DownloadFile")
| extend HasPersistenceAction = ProcessCommandLine has_any ("schtasks", "sc create", "reg add", "New-Service")
| extend HasDefenseEvasion = ProcessCommandLine has_any ("Set-MpPreference", "Add-MpPreference", "DisableRealtimeMonitoring")
| extend SuspicionScore = toint(HasMaliciousIndicator) + toint(HasEncodedCommand) + toint(HasDownloadCradle) + toint(HasPersistenceAction) + toint(HasDefenseEvasion)
| where SuspicionScore > 0
| extend DetectionType = "ps_error_suppression";
// Union both detection types
NohupExecution
| union PSErrorSuppression
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    FolderPath, SHA256, DetectionType, SuspicionScore
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint (Linux agent) Microsoft Defender for Endpoint (Windows)

Required Tables

DeviceProcessEvents

False Positives

System administrators running long-duration jobs with nohup to survive SSH disconnection (e.g., nohup rsync, nohup tar, nohup python batch jobs)
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions) using nohup to daemonize build processes or test runners
Monitoring and observability daemons (Datadog agent, Prometheus exporters, Telegraf) started via init scripts or cron using nohup
Software installation scripts using nohup to continue package downloads after session timeout
PowerShell automation scripts using -ErrorAction SilentlyContinue to handle expected errors in idempotent deployment scripts (SCCM, DSC, Intune)
Developer workstations where nohup is used to keep local development servers running after terminal close

Splunk

spl

(
  index=linux_logs (sourcetype="linux_audit" type=EXECVE a0="nohup")
  | eval DetectionType="nohup_exec", Platform="Linux"
  | eval NohupTarget=coalesce(a1, "")
  | eval NohupArgs=mvjoin(mvsort(mvfilter(match(mvmap(split("a2 a3 a4 a5 a6 a7", " "), "*"), ".*")), " ")
  | eval BackgroundExecution=if(match(NohupTarget."-".NohupArgs, "&"), 1, 0)
  | eval TempDirPayload=if(match(NohupTarget, "(/tmp/|/var/tmp/|/dev/shm/)"), 1, 0)
  | eval SuspiciousNetTool=if(match(NohupTarget, "(netcat|ncat|socat|/bin/nc)"), 1, 0)
  | eval InteractiveShell=if(match(coalesce(a2,"")."-".coalesce(a3,""), "(-i|-c)"), 1, 0)
  | eval PersistencePath=if(match(NohupTarget, "(/etc/init\.d/|/etc/rc|/etc/cron|/etc/profile)"), 1, 0)
  | eval SuspicionScore=BackgroundExecution+TempDirPayload+SuspiciousNetTool+InteractiveShell+PersistencePath
  | table _time, host, auid, uid, a0, a1, a2, a3, a4, DetectionType, Platform, SuspicionScore
)
| append
    [search index=linux_logs sourcetype="syslog" "nohup " NOT (process="cron" OR process="anacron" OR process="CRON")
    | rex field=_raw "nohup\s+(?P<NohupTarget>\S+)(?P<NohupArgs>.*)"
    | eval DetectionType="nohup_syslog", Platform="Linux/macOS"
    | eval TempDirPayload=if(match(NohupTarget, "(/tmp/|/var/tmp/|/dev/shm/)"), 1, 0)
    | eval SuspiciousNetTool=if(match(NohupTarget, "(netcat|ncat|socat|/bin/nc)"), 1, 0)
    | eval SuspicionScore=TempDirPayload+SuspiciousNetTool
    | table _time, host, process, NohupTarget, NohupArgs, DetectionType, Platform, SuspicionScore]
| append
    [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
    (CommandLine="*SilentlyContinue*" OR CommandLine="*-ErrorAction Ignore*" OR CommandLine="*ErrorActionPreference*")
    | eval CmdLower=lower(CommandLine)
    | eval DetectionType="ps_error_suppression", Platform="Windows"
    | eval HasMaliciousIndicator=if(match(CmdLower, "(invoke-webrequest|iwr\s|net\.webclient|downloadstring|downloadfile|invoke-expression|iex\(|iex\s|-encodedcommand|-enc\s)"), 1, 0)
    | eval HasPersistence=if(match(CmdLower, "(schtasks|sc\s+create|reg\s+add|new-service|set-mppreference)"), 1, 0)
    | eval HasNetworkTool=if(match(CmdLower, "(start-bitstransfer|certutil|bitsadmin)"), 1, 0)
    | eval SuspicionScore=HasMaliciousIndicator+HasPersistence+HasNetworkTool
    | where SuspicionScore > 0
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType, Platform, SuspicionScore]
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Linux auditd (EXECVE records) Sysmon Event ID 1 (Process Create)

Required Sourcetypes

linux_audit syslog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

System administrators running long-duration jobs with nohup over SSH (rsync, tar, database exports, compilation jobs)
CI/CD pipeline runners using nohup to background test processes or long-running build steps
Monitoring agents (Datadog, New Relic, Nagios plugins) launched via cron or init scripts using nohup
PowerShell DSC or SCCM deployment scripts using -ErrorAction SilentlyContinue to handle expected configuration drift
Package management scripts (apt, yum hooks) that use nohup internally for non-blocking post-install steps
Scheduled batch jobs where nohup is standard practice for session independence

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5s
[
  process where event.type == "start" and
  (
    process.name == "nohup" or
    process.parent.name == "nohup" or
    (
      process.args : ["nohup"] and
      process.name in ("bash", "sh", "dash", "zsh", "ksh", "python3", "python", "perl", "ruby")
    )
  )
] by process.pid

| sequence by host.name with maxspan=30m
[
  process where event.type == "start" and
  process.name : ("powershell.exe", "pwsh.exe") and
  (
    process.command_line : ("*SilentlyContinue*", "*ErrorActionPreference*", "*-ErrorAction Ignore*", "*-EA Ignore*", "*-EA SilentlyContinue*")
  ) and
  (
    process.command_line : ("*Invoke-WebRequest*", "*IWR *", "*Net.WebClient*", "*DownloadString*", "*DownloadFile*",
                            "*Invoke-Expression*", "*IEX(*", "*-EncodedCommand*", "*-enc *",
                            "*schtasks*", "*sc create*", "*reg add*", "*New-Service*",
                            "*Set-MpPreference*", "*Add-MpPreference*", "*certutil*")
  )
]

// Standalone nohup detection with suspicion scoring
process where event.type == "start" and
(
  process.name == "nohup" or
  process.parent.name == "nohup" or
  (
    process.command_line : "*nohup *" and
    process.name in ("bash", "sh", "dash", "zsh", "ksh", "python3", "python", "perl", "ruby")
  )
) and
(
  process.command_line : ("/tmp/*", "/var/tmp/*", "/dev/shm/*") or
  process.command_line : ("*nc *", "*ncat *", "*netcat*", "*socat*") or
  process.command_line : ("*bash -i*", "*sh -i*", "*dash -i*") or
  process.command_line : ("*/etc/init.d/*", "*/etc/rc.*", "*/etc/cron*") or
  process.command_line : ("*curl *", "*wget *", "*chmod *")
)

high severity medium confidence

Data Sources

Elastic Endpoint Security Auditbeat (auditd module) Winlogbeat (Sysmon) Elastic Agent (system integration)

Required Tables

logs-endpoint.events.process-* auditbeat-* winlogbeat-*

False Positives

Legitimate use of nohup by system administrators running long-lived maintenance scripts or backup jobs that must survive SSH session termination
CI/CD pipeline agents and build systems invoking nohup to daemonize build workers, test runners, or artifact publishing processes
PowerShell scripts using -ErrorAction SilentlyContinue for defensive scripting patterns where cmdlets may fail gracefully, such as checking for optional registry keys or testing network connectivity

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  hostname AS device_name,
  username,
  "process" AS process_name,
  "cmdline" AS command_line,
  CASE
    WHEN LOWER("cmdline") MATCHES '.*nohup\s+.*(\x2ftmp\x2f|\x2fvar\x2ftmp\x2f|\x2fdev\x2fshm\x2f).*' THEN 1 ELSE 0
  END +
  CASE
    WHEN LOWER("cmdline") MATCHES '.*(netcat|ncat|socat|\x2fbin\x2fnc\s).*' THEN 1 ELSE 0
  END +
  CASE
    WHEN LOWER("cmdline") MATCHES '.*(-i\s|bash\s-i|sh\s-i).*' THEN 1 ELSE 0
  END +
  CASE
    WHEN LOWER("cmdline") MATCHES '.*\x2fetc\x2finit\.d\x2f.*|.*\x2fetc\x2frc\..*|.*\x2fetc\x2fcron.*' THEN 1 ELSE 0
  END +
  CASE
    WHEN "cmdline" MATCHES '.*&\s*$' THEN 1 ELSE 0
  END AS nohup_suspicion_score,
  CASE
    WHEN LOWER("cmdline") MATCHES '.*(invoke-webrequest|net\.webclient|downloadstring|downloadfile|invoke-expression|iex\(|-encodedcommand|-enc\s).*' THEN 1 ELSE 0
  END +
  CASE
    WHEN LOWER("cmdline") MATCHES '.*(schtasks|sc\screate|reg\sadd|new-service|set-mppreference|add-mppreference).*' THEN 1 ELSE 0
  END +
  CASE
    WHEN LOWER("cmdline") MATCHES '.*(certutil|start-bitstransfer|bitsadmin).*' THEN 1 ELSE 0
  END AS ps_suspicion_score,
  CASE
    WHEN "process" LIKE 'nohup' OR "cmdline" LIKE '%nohup %' THEN 'nohup_interrupt_ignore'
    WHEN LOWER("process") IN ('powershell.exe', 'pwsh.exe') AND
         LOWER("cmdline") MATCHES '.*(silentlycontinue|erroractionpreference|-erroraction ignore|-ea ignore).*' THEN 'ps_error_suppression'
    ELSE 'unknown'
  END AS detection_type,
  CATEGORYNAME(category) AS event_category,
  sourceip AS source_ip
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'Apple Mac OS X', 'Microsoft Windows', 'Sysmon')
  AND starttime > DATEADD('hour', -24, NOW())
  AND (
    -- nohup detection (Linux/macOS)
    "process" = 'nohup'
    OR (
      "cmdline" LIKE '%nohup %' AND
      "process" IN ('bash', 'sh', 'dash', 'zsh', 'ksh', 'python3', 'python', 'perl', 'ruby')
    )
    -- PowerShell error suppression with malicious indicators (Windows)
    OR (
      LOWER("process") IN ('powershell.exe', 'pwsh.exe') AND
      LOWER("cmdline") MATCHES '.*(silentlycontinue|erroractionpreference|-erroraction ignore|-ea ignore|-ea silentlycontinue).*' AND
      LOWER("cmdline") MATCHES '.*(invoke-webrequest|net\.webclient|downloadstring|invoke-expression|iex\(|-encodedcommand|schtasks|sc\screate|reg\sadd|new-service|set-mppreference|certutil).*'
    )
  )
ORDER BY event_time DESC

high severity medium confidence

Data Sources

Linux OS log source (auditd/syslog) Windows Security Event log Sysmon for Windows Apple macOS log source

Required Tables

events

False Positives

Scheduled maintenance tasks run via nohup by operations teams to ensure job completion despite cron or SSH disconnects
Developer toolchains invoking nohup to start background services, compilers, or long-running test suites in non-interactive shells
PowerShell automation and monitoring scripts that defensively suppress errors when probing system state for optional features or registry paths

Sumo Logic CSE

sql

// T1564.011 - Ignore Process Interrupts: nohup + PowerShell Error Suppression
// Part 1: Linux/macOS nohup detection via auditd or syslog
(
  (_sourceCategory=linux/audit OR _sourceCategory=linux/syslog OR _sourceCategory=macos/syslog)
  (
    "nohup" OR "EXECVE"
  )
  // Exclude known-good cron/scheduler invocations
  NOT (process="cron" OR process="anacron" OR process="CRON" OR _raw matches /crond.+nohup/)
  | parse regex field=_raw "(?:a0|cmd|command|comm)=\"?(?P<exec_cmd>[^\"\s]+)" nodrop
  | parse regex field=_raw "nohup\s+(?P<nohup_target>\S+)(?P<nohup_args>.*)" nodrop
  | where exec_cmd = "nohup" OR nohup_target != ""
  | eval detection_type = "nohup_interrupt_ignore"
  | eval platform = "Linux/macOS"
  | eval temp_dir_payload = if(nohup_target matches "/tmp/.*" OR nohup_target matches "/var/tmp/.*" OR nohup_target matches "/dev/shm/.*", 1, 0)
  | eval suspicious_net_tool = if(nohup_target matches ".*(netcat|ncat|socat|\/bin\/nc).*", 1, 0)
  | eval interactive_shell = if(nohup_args matches ".*(\-i|bash\s\-i|sh\s\-i).*", 1, 0)
  | eval persistence_path = if(nohup_target matches ".*\/etc\/init\.d\/.*" OR nohup_target matches ".*\/etc\/rc\..*" OR nohup_target matches ".*\/etc\/cron.*", 1, 0)
  | eval background_exec = if(_raw matches ".*&\s*$", 1, 0)
  | eval suspicion_score = temp_dir_payload + suspicious_net_tool + interactive_shell + persistence_path + background_exec
  | fields _time, _sourceHost, exec_cmd, nohup_target, nohup_args, detection_type, platform, suspicion_score
)
// Part 2: Windows PowerShell error suppression with malicious indicators
| union
(
  (_sourceCategory=windows/sysmon OR _sourceCategory=windows/security)
  ("powershell.exe" OR "pwsh.exe")
  ("SilentlyContinue" OR "ErrorActionPreference" OR "-ErrorAction Ignore" OR "-EA Ignore")
  | parse regex field=_raw "(?i)(?:CommandLine|cmd)\s*=\s*\"?(?P<command_line>[^\"\n]+)" nodrop
  | parse regex field=_raw "(?i)(?:Image|process)\s*=\s*\"?(?P<process_image>[^\"\n]+)" nodrop
  | where process_image matches "(?i).*(powershell\.exe|pwsh\.exe)"
  | eval cmd_lower = toLowerCase(command_line)
  | eval has_download_cradle = if(cmd_lower matches ".*(invoke-webrequest|iwr\s|net\.webclient|downloadstring|downloadfile).*", 1, 0)
  | eval has_exec_cradle = if(cmd_lower matches ".*(invoke-expression|iex\(|iex\s|-encodedcommand|-enc\s).*", 1, 0)
  | eval has_persistence = if(cmd_lower matches ".*(schtasks|sc\s+create|reg\s+add|new-service).*", 1, 0)
  | eval has_defense_evasion = if(cmd_lower matches ".*(set-mppreference|add-mppreference|disablerealtimemonitoring).*", 1, 0)
  | eval has_network_util = if(cmd_lower matches ".*(certutil|start-bitstransfer|bitsadmin).*", 1, 0)
  | eval suspicion_score = has_download_cradle + has_exec_cradle + has_persistence + has_defense_evasion + has_network_util
  | where suspicion_score > 0
  | eval detection_type = "ps_error_suppression"
  | eval platform = "Windows"
  | eval nohup_target = ""
  | fields _time, _sourceHost, process_image as exec_cmd, command_line as nohup_args, nohup_target, detection_type, platform, suspicion_score
)
| where suspicion_score >= 0
| sort by _time desc
| fields _time, _sourceHost, exec_cmd, nohup_target, nohup_args, detection_type, platform, suspicion_score

high severity medium confidence

Data Sources

Linux auditd (via Sumo Logic installed collector) Linux/macOS syslog Windows Sysmon (via Sumo Logic installed collector) Windows Security Event log

Required Tables

_sourceCategory=linux/audit _sourceCategory=linux/syslog _sourceCategory=macos/syslog _sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

System administrators and DevOps engineers using nohup to launch long-running background processes (database migrations, backups, build jobs) that must survive terminal disconnects
Legitimate monitoring agents and daemon startup scripts in /etc/init.d or /etc/rc.d that invoke nohup to ensure process resilience
Infrastructure automation tooling (Ansible, Chef, Puppet) using PowerShell with -ErrorAction SilentlyContinue when idempotently checking or creating system resources

Google Chronicle / SecOps

yaral

rule T1564_011_Ignore_Process_Interrupts {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1564.011 Ignore Process Interrupts via nohup execution on Linux/macOS with suspicious payload characteristics, or PowerShell error suppression combined with malicious indicators on Windows."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1564.011"
    severity = "HIGH"
    priority = "HIGH"
    platforms = "Linux, macOS, Windows"
    created = "2026-04-21"
    version = "1.0"

  events:
    // Pattern 1: nohup execution on Linux/macOS
    (
      $nohup_proc.metadata.event_type = "PROCESS_LAUNCH"
      and (
        // Direct nohup invocation
        $nohup_proc.target.process.file.full_path = /\/bin\/nohup$/ nocase
        or $nohup_proc.target.process.file.full_path = /\/usr\/bin\/nohup$/ nocase
        or $nohup_proc.target.process.command_line = /\bnohup\s+\S/ nocase
        // Process spawned by nohup parent
        or $nohup_proc.principal.process.file.full_path = /nohup$/ nocase
      )
      and (
        // Suspicious payload destinations
        $nohup_proc.target.process.command_line = /\/tmp\/|\/var\/tmp\/|\/dev\/shm\// nocase
        or $nohup_proc.target.process.command_line = /\b(nc|ncat|netcat|socat)\s/ nocase
        or $nohup_proc.target.process.command_line = /(bash|sh|dash)\s+-i/ nocase
        or $nohup_proc.target.process.command_line = /\/etc\/init\.d\/|\/etc\/rc\.|\/etc\/cron/ nocase
        or $nohup_proc.target.process.command_line = /\b(curl|wget)\s/ nocase
        or $nohup_proc.target.process.command_line = /\/etc\/profile|\.bashrc|\.bash_profile/ nocase
      )
      and not $nohup_proc.principal.process.file.full_path = /(cron|anacron|crond)$/ nocase
    )
    or
    // Pattern 2: PowerShell error suppression + malicious indicators on Windows
    (
      $nohup_proc.metadata.event_type = "PROCESS_LAUNCH"
      and (
        $nohup_proc.target.process.file.full_path = /\\powershell\.exe$/ nocase
        or $nohup_proc.target.process.file.full_path = /\\pwsh\.exe$/ nocase
      )
      and (
        $nohup_proc.target.process.command_line = /SilentlyContinue|ErrorActionPreference|-ErrorAction\s+Ignore|-EA\s+Ignore/ nocase
      )
      and (
        $nohup_proc.target.process.command_line = /Invoke-WebRequest|IWR\s|Net\.WebClient|DownloadString|DownloadFile/ nocase
        or $nohup_proc.target.process.command_line = /Invoke-Expression|IEX\(|IEX\s|-EncodedCommand|-enc\s/ nocase
        or $nohup_proc.target.process.command_line = /schtasks|sc\s+create|reg\s+add|New-Service/ nocase
        or $nohup_proc.target.process.command_line = /Set-MpPreference|Add-MpPreference|DisableRealtimeMonitoring/ nocase
        or $nohup_proc.target.process.command_line = /certutil|Start-BitsTransfer|bitsadmin/ nocase
      )
    )

  match:
    $nohup_proc.principal.hostname over 1h

  outcome:
    $risk_score = max(
      if($nohup_proc.target.process.command_line = /\/tmp\/|\/var\/tmp\/|\/dev\/shm\//, 20) +
      if($nohup_proc.target.process.command_line = /\b(nc|ncat|netcat|socat)\s/, 30) +
      if($nohup_proc.target.process.command_line = /(bash|sh|dash)\s+-i/, 25) +
      if($nohup_proc.target.process.command_line = /\/etc\/init\.d\/|\/etc\/cron/, 25) +
      if($nohup_proc.target.process.command_line = /SilentlyContinue|ErrorActionPreference/, 15) +
      if($nohup_proc.target.process.command_line = /Invoke-Expression|IEX\(|-EncodedCommand/, 30) +
      if($nohup_proc.target.process.command_line = /Set-MpPreference|DisableRealtimeMonitoring/, 35)
    )
    $hostname = $nohup_proc.principal.hostname
    $process_name = $nohup_proc.target.process.file.full_path
    $command_line = $nohup_proc.target.process.command_line
    $parent_process = $nohup_proc.principal.process.file.full_path
    $user = $nohup_proc.principal.user.userid

  condition:
    $nohup_proc
}

high severity medium confidence

Data Sources

Google Chronicle UDM (process events from endpoint telemetry) Endpoint Detection and Response (EDR) data via Chronicle ingestion Windows Event Log forwarding to Chronicle Linux auditd via Chronicle forwarder

Required Tables

UDM entity: PROCESS_LAUNCH events

False Positives

Legitimate sysadmin use of nohup for long-running administrative tasks such as package updates, log rotation jobs, or data processing pipelines that must survive SSH session expiry
Containerized workloads or init systems that invoke nohup as part of service startup scripts in /etc/init.d or similar paths, particularly in legacy environments
Security tooling and IT automation scripts (Ansible, Puppet) using PowerShell's -ErrorAction SilentlyContinue as standard defensive coding practice when applying idempotent configurations

CrowdStrike LogScale (CQL)

cql

// T1564.011 - Ignore Process Interrupts: nohup + PowerShell Error Suppression
// CrowdStrike Falcon LogScale (CQL) - Humio Query Language

// ========== PART 1: Linux/macOS nohup detection ==========
#event_simpleName = ProcessRollup2
| #platform_name = /Linux|Mac/
| CommandLine = /\bnohup\s+\S/ OR ImageFileName = /\/(usr/)?bin/nohup$/
   OR ParentBaseFileName = "nohup"
| eval temp_dir_payload = if(CommandLine = /\/tmp\/|\/var\/tmp\/|\/dev\/shm//, 1, 0)
| eval suspicious_net_tool = if(CommandLine = /\b(nc|ncat|netcat|socat)\s/, 1, 0)
| eval interactive_shell = if(CommandLine = /(bash|sh|dash)\s+-i/, 1, 0)
| eval persistence_path = if(CommandLine = /\/etc\/init\.d\/|\/etc\/rc\.|\/etc\/cron|\/etc\/profile/, 1, 0)
| eval background_exec = if(CommandLine = /&\s*$/, 1, 0)
| eval download_tool = if(CommandLine = /\b(curl|wget)\s/, 1, 0)
| eval suspicion_score = temp_dir_payload + suspicious_net_tool + interactive_shell + persistence_path + background_exec + download_tool
| eval detection_type = "nohup_interrupt_ignore"
| eval platform_label = "Linux/macOS"
| where not ParentBaseFileName = /(cron|anacron|crond)/
| table _time, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, suspicion_score, detection_type, platform_label

// ========== PART 2: Windows PowerShell error suppression ==========
| union
[
  #event_simpleName = ProcessRollup2
  | #platform_name = Windows
  | ImageFileName = /\\(powershell|pwsh)\.exe$/i
  | CommandLine = /(?i)(SilentlyContinue|ErrorActionPreference|-ErrorAction\s+Ignore|-EA\s+Ignore|-EA\s+SilentlyContinue)/
  | eval cmd_lower = lower(CommandLine)
  | eval has_download_cradle = if(cmd_lower = /invoke-webrequest|iwr\s|net\.webclient|downloadstring|downloadfile/, 1, 0)
  | eval has_exec_cradle = if(cmd_lower = /invoke-expression|iex\(|iex\s|-encodedcommand|-enc\s/, 1, 0)
  | eval has_persistence = if(cmd_lower = /schtasks|sc\s+create|reg\s+add|new-service/, 1, 0)
  | eval has_defense_evasion = if(cmd_lower = /set-mppreference|add-mppreference|disablerealtimemonitoring/, 1, 0)
  | eval has_network_util = if(cmd_lower = /certutil|start-bitstransfer|bitsadmin/, 1, 0)
  | eval suspicion_score = has_download_cradle + has_exec_cradle + has_persistence + has_defense_evasion + has_network_util
  | where suspicion_score > 0
  | eval detection_type = "ps_error_suppression"
  | eval platform_label = "Windows"
  | table _time, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, suspicion_score, detection_type, platform_label
]
| sort(field=_time, order=desc)
| groupBy([ComputerName, detection_type], function=[
    count(as=alert_count),
    max(suspicion_score, as=max_suspicion),
    collect([UserName, ImageFileName, CommandLine, ParentBaseFileName, detection_type, platform_label])
  ])

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 events) Falcon sensor telemetry (Linux, macOS, Windows)

Required Tables

ProcessRollup2 (Falcon event stream)

False Positives

IT operations scripts using nohup to launch legitimate background services, monitoring daemons, or database operations that must survive operator logout
Software development and build automation environments where nohup is used to start compilers, test harnesses, or artifact servers in ephemeral CI environments
Windows automation runbooks (SCCM, Intune, custom tooling) that use PowerShell -ErrorAction SilentlyContinue to gracefully handle environments where some commands may not apply

Last updated: 2026-04-21 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1564.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Ignore Process Interrupts

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections