Nohup Execution
Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
Sigma rule (View on GitHub)
1title: Nohup Execution
2id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
3status: test
4description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
5references:
6 - https://gtfobins.github.io/gtfobins/nohup/
7 - https://en.wikipedia.org/wiki/Nohup
8 - https://www.computerhope.com/unix/unohup.htm
9author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
10date: 2022/06/06
11tags:
12 - attack.execution
13 - attack.t1059.004
14logsource:
15 product: linux
16 category: process_creation
17detection:
18 selection:
19 Image|endswith: '/nohup'
20 condition: selection
21falsepositives:
22 - Administrators or installed processes that leverage nohup
23level: medium
References
-
.. / nohup Shell Command SUID Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. nohup /bin/sh -c "sh $(tty) 2>$(tty)" Command It can be us...
Read More -
nohup is a POSIX command which means "no hang up". Its purpose is to execute a command such that it ignores the HUP (hangup) signal and therefore does not stop when the user logs out. Output that w...
Read More -
Linux nohup command help and information with nohup examples, syntax, related commands, and how to use the nohup command from the command line.
Read More
Related rules
- AWS EC2 Startup Shell Script Change
- Interactive Bash Suspicious Children
- Linux Reverse Shell Indicator
- Suspicious Activity in Shell Commands
- Privilege Escalation Preparation