The hypothesis is that an adversary is leveraging nohup to execute malicious binaries in hidden or non-standard directories to persist across reboots and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence mechanisms and disrupt adversary long-term access.
Detection Rule
title: Suspicious Nohup Execution
id: 457df417-8b9d-4912-85f3-9dbda39c3645
related:
- id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
type: derived
status: test
description: Detects execution of binaries located in potentially suspicious locations via "nohup"
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.execution
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/nohup'
CommandLine|contains: '/tmp/'
condition: selection
falsepositives:
- Unknown
level: high
imProcessCreate
| where TargetProcessName endswith "/nohup" and TargetProcessCommandLine contains "/tmp/"Scenario: A system administrator is using nohup to run a long-running monitoring tool like nagios or zabbix on a server.
Filter/Exclusion: Exclude processes where the binary path matches known monitoring tools (e.g., /usr/local/nagios/bin/nagios, /opt/zabbix/bin/zabbix_server).
Scenario: A scheduled job (e.g., via cron or systemd) uses nohup to run a backup script that includes a binary from a trusted directory like /usr/bin/ or /opt/backup/bin/.
Filter/Exclusion: Exclude processes where the command line includes paths from known trusted directories (e.g., /usr/bin/, /opt/backup/bin/).
Scenario: A developer is running a local development tool (e.g., docker, kubernetes CLI) using nohup to keep the process running during a CI/CD pipeline.
Filter/Exclusion: Exclude processes where the binary is located in a developer tool directory (e.g., /usr/local/bin/docker, /opt/k8s/bin/kubelet).
Scenario: A system update or patching task uses nohup to run a package manager like yum or apt in the background.
Filter/Exclusion: Exclude processes where the command includes package manager binaries (e.g., /usr/bin/yum, /usr/bin/apt).
Scenario: A security tool like logrotate or rsyslog uses nohup to run a background process for log management.
Filter/Exclusion: Exclude processes where the binary is associated with log management tools (e.g., /usr/sbin/logrotate, /usr/sbin/rsyslogd).