Detect Ignore Process Interrupts in Google Chronicle
Adversaries evade defensive mechanisms by launching processes immune to interrupt signals, preventing analyst-driven or system-triggered termination. The primary technique is nohup on Linux and macOS, which detaches a process from the controlling terminal and causes it to ignore SIGHUP—the hangup signal sent when a session ends or a terminal closes. Malware authors also call signal() or sigaction() directly to mask SIGINT, SIGTERM, SIGPIPE, SIGCHLD, and other control signals, as documented in BPFDoor (masks 7 signals) and BOLDMOVE (masks SIGCHLD, SIGHUP, SIGPIPE). On Windows, PowerShell's -ErrorAction SilentlyContinue or $ErrorActionPreference = 'SilentlyContinue' prevents script termination on errors, allowing malicious payloads to continue past failures that would otherwise halt execution. Real-world usage includes GoldMax Linux variant (nohup invocation for C2 persistence through SSH disconnection), UNC3886 (nohup /bin/support in /etc/init.d/localnet for semi-persistence across reboots), Sea Turtle running SnappyTCP via nohup, and OSX/Shlayer applying nohup to payload execution on macOS. Unlike Trap (T1546.005), this technique does not re-invoke the process after termination—it only prolongs the existing execution session through events that would otherwise end it.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.011 Ignore Process Interrupts
- Canonical reference
- https://attack.mitre.org/techniques/T1564/011/
YARA-L Detection Query
rule T1564_011_Ignore_Process_Interrupts {
meta:
author = "Argus Detection Engineering"
description = "Detects T1564.011 Ignore Process Interrupts via nohup execution on Linux/macOS with suspicious payload characteristics, or PowerShell error suppression combined with malicious indicators on Windows."
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1564.011"
severity = "HIGH"
priority = "HIGH"
platforms = "Linux, macOS, Windows"
created = "2026-04-21"
version = "1.0"
events:
// Pattern 1: nohup execution on Linux/macOS
(
$nohup_proc.metadata.event_type = "PROCESS_LAUNCH"
and (
// Direct nohup invocation
$nohup_proc.target.process.file.full_path = /\/bin\/nohup$/ nocase
or $nohup_proc.target.process.file.full_path = /\/usr\/bin\/nohup$/ nocase
or $nohup_proc.target.process.command_line = /\bnohup\s+\S/ nocase
// Process spawned by nohup parent
or $nohup_proc.principal.process.file.full_path = /nohup$/ nocase
)
and (
// Suspicious payload destinations
$nohup_proc.target.process.command_line = /\/tmp\/|\/var\/tmp\/|\/dev\/shm\// nocase
or $nohup_proc.target.process.command_line = /\b(nc|ncat|netcat|socat)\s/ nocase
or $nohup_proc.target.process.command_line = /(bash|sh|dash)\s+-i/ nocase
or $nohup_proc.target.process.command_line = /\/etc\/init\.d\/|\/etc\/rc\.|\/etc\/cron/ nocase
or $nohup_proc.target.process.command_line = /\b(curl|wget)\s/ nocase
or $nohup_proc.target.process.command_line = /\/etc\/profile|\.bashrc|\.bash_profile/ nocase
)
and not $nohup_proc.principal.process.file.full_path = /(cron|anacron|crond)$/ nocase
)
or
// Pattern 2: PowerShell error suppression + malicious indicators on Windows
(
$nohup_proc.metadata.event_type = "PROCESS_LAUNCH"
and (
$nohup_proc.target.process.file.full_path = /\\powershell\.exe$/ nocase
or $nohup_proc.target.process.file.full_path = /\\pwsh\.exe$/ nocase
)
and (
$nohup_proc.target.process.command_line = /SilentlyContinue|ErrorActionPreference|-ErrorAction\s+Ignore|-EA\s+Ignore/ nocase
)
and (
$nohup_proc.target.process.command_line = /Invoke-WebRequest|IWR\s|Net\.WebClient|DownloadString|DownloadFile/ nocase
or $nohup_proc.target.process.command_line = /Invoke-Expression|IEX\(|IEX\s|-EncodedCommand|-enc\s/ nocase
or $nohup_proc.target.process.command_line = /schtasks|sc\s+create|reg\s+add|New-Service/ nocase
or $nohup_proc.target.process.command_line = /Set-MpPreference|Add-MpPreference|DisableRealtimeMonitoring/ nocase
or $nohup_proc.target.process.command_line = /certutil|Start-BitsTransfer|bitsadmin/ nocase
)
)
match:
$nohup_proc.principal.hostname over 1h
outcome:
$risk_score = max(
if($nohup_proc.target.process.command_line = /\/tmp\/|\/var\/tmp\/|\/dev\/shm\//, 20) +
if($nohup_proc.target.process.command_line = /\b(nc|ncat|netcat|socat)\s/, 30) +
if($nohup_proc.target.process.command_line = /(bash|sh|dash)\s+-i/, 25) +
if($nohup_proc.target.process.command_line = /\/etc\/init\.d\/|\/etc\/cron/, 25) +
if($nohup_proc.target.process.command_line = /SilentlyContinue|ErrorActionPreference/, 15) +
if($nohup_proc.target.process.command_line = /Invoke-Expression|IEX\(|-EncodedCommand/, 30) +
if($nohup_proc.target.process.command_line = /Set-MpPreference|DisableRealtimeMonitoring/, 35)
)
$hostname = $nohup_proc.principal.hostname
$process_name = $nohup_proc.target.process.file.full_path
$command_line = $nohup_proc.target.process.command_line
$parent_process = $nohup_proc.principal.process.file.full_path
$user = $nohup_proc.principal.user.userid
condition:
$nohup_proc
}YARA-L 2.0 rule detecting T1564.011 Ignore Process Interrupts via two primary patterns: (1) nohup execution on Linux/macOS (direct invocation or child processes of nohup) combined with high-risk indicators such as temp directory payloads, network tools, interactive shells, or persistence path modification; (2) PowerShell processes on Windows using error suppression combined with download cradles, encoded commands, persistence actions, or AV/EDR evasion.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate sysadmin use of nohup for long-running administrative tasks such as package updates, log rotation jobs, or data processing pipelines that must survive SSH session expiry
- Containerized workloads or init systems that invoke nohup as part of service startup scripts in /etc/init.d or similar paths, particularly in legacy environments
- Security tooling and IT automation scripts (Ansible, Puppet) using PowerShell's -ErrorAction SilentlyContinue as standard defensive coding practice when applying idempotent configurations
Other platforms for T1564.011
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1nohup Background Execution with Network Listener
Expected signal: Linux auditd EXECVE record: a0='nohup', a1='nc', a2='-lvp', a3='14444', a4='-s', a5='127.0.0.1'. A second EXECVE record for the nc process itself with ppid matching the nohup process. MDE DeviceProcessEvents: FileName='nohup' with child process FileName='nc' where InitiatingProcessFileName='nohup'. DeviceNetworkEvents: nc process creating a listening socket on port 14444.
- Test 2nohup Protecting Interpreter from Temp Directory
Expected signal: Auditd EXECVE: a0='chmod', a1='+x', a2='/tmp/df00tech_test_payload.sh' followed by a0='nohup', a1='/tmp/df00tech_test_payload.sh'. MDE DeviceFileEvents: file creation at /tmp/df00tech_test_payload.sh. DeviceProcessEvents: FileName='nohup', ProcessCommandLine contains '/tmp/' (TempDirPayload indicator). A second DeviceProcessEvents record for bash/sh with InitiatingProcessFileName='nohup' and FolderPath='/tmp/'.
- Test 3Programmatic Signal Masking via Python
Expected signal: Auditd EXECVE: a0='python3', a1='-c', a2 contains 'signal.SIG_IGN'. MDE DeviceProcessEvents: FileName='python3', ProcessCommandLine contains 'SIG_IGN' and 'signal'. /proc/<pid>/status SigIgn field will be non-zero (e.g., 0x0000000000003c06 with SIGHUP=1, SIGINT=2, SIGTERM=15, SIGPIPE=13 masked). Attempting `kill -SIGTERM <pid>` will have no effect; only `kill -9 <pid>` terminates the process.
- Test 4PowerShell Error Suppression with Download Cradle
Expected signal: Sysmon Event ID 1: Process Create — Image=powershell.exe, CommandLine contains 'ErrorActionPreference' and 'SilentlyContinue' and 'Net.WebClient' and 'DownloadString' and 'Invoke-WebRequest'. Sysmon Event ID 3: Network Connection attempts to 127.0.0.1:19999 (will fail with connection refused). PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational with full script content.
References (11)
- https://attack.mitre.org/techniques/T1564/011/
- https://man7.org/linux/man-pages/man7/signal.7.html
- https://linux.die.net/man/1/nohup
- https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_preference_variables?view=powershell-7.3#erroractionpreference
- https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
- https://cloud.google.com/blog/topics/threat-intelligence/boldmove-north-korea-fortigate
- https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
- https://www.deepinstinct.com/blog/bpfdoor-an-active-chinese-global-surveillance-tool
- https://www.huntress.com/blog/a-brief-history-of-sea-turtle
- https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.011/T1564.011.md
Unlock Pro Content
Get the full detection package for T1564.011 including response playbook, investigation guide, and atomic red team tests.