T1564.011 Ignore Process Interrupts
Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.1 These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes.
Adversaries may invoke processes using nohup, PowerShell -ErrorAction SilentlyContinue, or similar commands that may be immune to hangups.23 This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.
Hiding from process interrupt signals may allow malware to continue execution, but unlike Trap this does not establish Persistence since the process will not be re-invoked once actually terminated.
| Item | Value |
|---|---|
| ID | T1564.011 |
| Sub-techniques | T1564.001, T1564.002, T1564.003, T1564.004, T1564.005, T1564.006, T1564.007, T1564.008, T1564.009, T1564.010, T1564.011, T1564.012, T1564.013, T1564.014 |
| Tactics | TA0005 |
| Platforms | Linux, Windows, macOS |
| Version | 1.0 |
| Created | 24 August 2023 |
| Last Modified | 15 April 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1184 | BOLDMOVE | BOLDMOVE calls the signal function to ignore the signals SIGCHLD, SIGHIP, and SIGPIPE prior to starting primary logic.5 |
| S1161 | BPFDoor | BPFDoor set’s it’s process to ignore the following signals; SIGHUP, SIGINT, SIGQUIT, SIGPIPE, SIGCHLD, SIGTTIN, and SIGTTOU.7 |
| S0588 | GoldMax | The GoldMax Linux variant has been executed with the nohup command to ignore hangup signals and continue to run if the terminal session was terminated.4 |
| S0402 | OSX/Shlayer | OSX/Shlayer has used the nohup command to instruct executed payloads to ignore hangup signals.6 |
| G1041 | Sea Turtle | Sea Turtle executed SnappyTCP using the tool NoHup, which keeps the malware running on a system after exiting the shell or terminal.9 |
| G1048 | UNC3886 | UNC3886 modified the startup file /etc/init.d/localnet to execute the line nohup /bin/support & so the script would run when the system was rebooted.8 |
References
-
Linux man-pages. (2023, April 3). signal(7). Retrieved August 30, 2023. ↩
-
Microsoft. (2023, March 2). $DebugPreference. Retrieved August 30, 2023. ↩
-
CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. ↩
-
Scott Henderson, Cristiana Kittner, Sarah Hawley & Mark Lechtik, Google Cloud. (2023, January 19). Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475). Retrieved December 31, 2024. ↩
-
Jaron Bradley. (2021, April 26). Shlayer malware abusing Gatekeeper bypass on macOS. Retrieved September 22, 2021. ↩
-
Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September 19, 2024. ↩
-
Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023. ↩
-
Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024. ↩