title: Ignore Process Interrupts (T1564.011)
id: df00tech-t1564-011
status: experimental
description: "Adversaries evade defensive mechanisms by launching processes immune to interrupt signals, preventing analyst-driven or system-triggered termination. The primary technique is nohup on Linux and macOS, which detaches a process from the controlling terminal and causes it to ignore SIGHUP—the hangup signal sent when a session ends or a terminal closes. Malware authors also call signal() or sigaction() directly to mask SIGINT, SIGTERM, SIGPIPE, SIGCHLD, and other control signals, as documented in BPFDoor (masks 7 signals) and BOLDMOVE (masks SIGCHLD, SIGHUP, SIGPIPE). On Windows, PowerShell's -ErrorAction SilentlyContinue or $ErrorActionPreference = 'SilentlyContinue' prevents script termination on errors, allowing malicious payloads to continue past failures that would otherwise halt execution. Real-world usage includes GoldMax Linux variant (nohup invocation for C2 persistence through SSH disconnection), UNC3886 (nohup /bin/support in /etc/init.d/localnet for semi-persistence across reboots), Sea Turtle running SnappyTCP via nohup, and OSX/Shlayer applying nohup to payload execution on macOS. Unlike Trap (T1546.005), this technique does not re-invoke the process after termination—it only prolongs the existing execution session through events that would otherwise end it."
references:
  - https://attack.mitre.org/techniques/T1564/011/
  - https://df00tech.com/detections/T1564.011
author: df00tech
date: 2026/04/21
tags:
  - attack.t1564.011
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "System administrators running long-duration jobs with nohup to survive SSH disconnection (e.g., nohup rsync, nohup tar, nohup python batch jobs)"
  - "CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions) using nohup to daemonize build processes or test runners"
  - "Monitoring and observability daemons (Datadog agent, Prometheus exporters, Telegraf) started via init scripts or cron using nohup"
  - Software installation scripts using nohup to continue package downloads after session timeout
  - "PowerShell automation scripts using -ErrorAction SilentlyContinue to handle expected errors in idempotent deployment scripts (SCCM, DSC, Intune)"
  - Developer workstations where nohup is used to keep local development servers running after terminal close
level: medium