Nohup Execution

Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments

Sigma rule (View on GitHub)

 1title: Nohup Execution
 2id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
 3status: test
 4description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
 5references:
 6    - https://gtfobins.github.io/gtfobins/nohup/
 7    - https://en.wikipedia.org/wiki/Nohup
 8    - https://www.computerhope.com/unix/unohup.htm
 9author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
10date: 2022-06-06
11tags:
12    - attack.execution
13    - attack.t1059.004
14logsource:
15    product: linux
16    category: process_creation
17detection:
18    selection:
19        Image|endswith: '/nohup'
20    condition: selection
21falsepositives:
22    - Administrators or installed processes that leverage nohup
23level: medium

References

Related rules

to-top