Nohup Execution

Hunt Hypothesis

The Nohup Execution rule detects adversaries using the nohup command to persist malicious processes or evade process termination, which is a common technique to maintain persistence or escape restricted environments. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-running malicious activity that may evade standard monitoring and detection mechanisms.

Detection Rule

Sigma (Original)

title: Nohup Execution
id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
status: test
description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
references:
    - https://gtfobins.github.io/gtfobins/nohup/
    - https://en.wikipedia.org/wiki/Nohup
    - https://www.computerhope.com/unix/unohup.htm
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-06
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/nohup'
    condition: selection
falsepositives:
    - Administrators or installed processes that leverage nohup
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "/nohup"

False Positive Guidance

• Scenario: System administrator uses nohup to run a long-running backup script.
  Filter/Exclusion: process.name = "backup_script.sh" OR process.args CONTAINS "nohup /opt/backup/backup_script.sh"

• Scenario: A scheduled job (e.g., via cron) uses nohup to ensure a service starts even if the terminal session is closed.
  Filter/Exclusion: process.name = "cron" OR process.args CONTAINS "nohup /etc/init.d/service start"

• Scenario: A developer runs a test script using nohup to keep it running in the background during testing.
  Filter/Exclusion: process.name = "test_script.sh" OR user.name = "dev_user" AND process.args CONTAINS "nohup"

• Scenario: A legitimate monitoring tool (e.g., nagios, telegraf) uses nohup to run background processes.
  Filter/Exclusion: process.name = "telegraf" OR process.name = "nagios" OR process.args CONTAINS "nohup telegraf -config"

• Scenario: A system update or patching tool (e.g., yum, apt, ansible) uses nohup to run a long-running task.
  Filter/Exclusion: process.name = "ansible" OR process.name = "yum" OR process.args CONTAINS "nohup ansible-playbook update_playbook.yml"

MITRE ATT&CK Context

• Tactic: Execution
• Technique: T1059.004