Description
Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.(Citation: Linux Signal Man) These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes.
Adversaries may invoke processes using nohup, PowerShell -ErrorAction SilentlyContinue, or similar commands that may be immune to hangups.(Citation: nohup Linux Man)(Citation: Microsoft PowerShell SilentlyContinue) This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.
Hiding from process interrupt signals may allow malware to continue execution, but unlike Trap this does not establish Persistence since the process will not be re-invoked once actually terminated.
Platforms
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) modified the startup file `/etc/init.d/localnet` to execute the line `nohup /bin/support &` so the sc... |
| G1041 | Sea Turtle | [Sea Turtle](https://attack.mitre.org/groups/G1041) executed [SnappyTCP](https://attack.mitre.org/software/S1163) using the tool NoHup, which keeps th... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has leveraged the PowerShell `-ErrorAction SilentlyContinue` command to continue execution through sy... |
Associated Software (5)
| ID | Name | Type | Context |
|---|---|---|---|
| S0588 | GoldMax | Malware | The [GoldMax](https://attack.mitre.org/software/S0588) Linux variant has been executed with the `nohup` command to ignore hangup signals and continue ... |
| S1184 | BOLDMOVE | Malware | [BOLDMOVE](https://attack.mitre.org/software/S1184) calls the signal function to ignore the signals SIGCHLD, SIGHIP, and SIGPIPE prior to starting pri... |
| S9008 | Shai-Hulud | Malware | [Shai-Hulud](https://attack.mitre.org/software/S9008) has suppressed NPM warnings by silently exiting through the use of the NPM success code that has... |
| S0402 | OSX/Shlayer | Malware | [OSX/Shlayer](https://attack.mitre.org/software/S0402) has used the `nohup` command to instruct executed payloads to ignore hangup signals.(Citation: ... |
| S1161 | BPFDoor | Malware | [BPFDoor](https://attack.mitre.org/software/S1161) sets its process to ignore the following signals; `SIGHUP`, `SIGINT`, `SIGQUIT`, `SIGPIPE`, `SIGCHL... |
References
- Linux man-pages. (2023, April 3). signal(7). Retrieved August 30, 2023.
- Meyering, J. (n.d.). nohup(1). Retrieved August 30, 2023.
- Microsoft. (2023, March 2). $DebugPreference. Retrieved August 30, 2023.
Frequently Asked Questions
What is T1564.011 (Ignore Process Interrupts)?
T1564.011 is a MITRE ATT&CK technique named 'Ignore Process Interrupts'. It belongs to the Stealth tactic(s). Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command i...
How can T1564.011 be detected?
Detection of T1564.011 (Ignore Process Interrupts) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1564.011?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1564.011?
Known threat groups using T1564.011 include: UNC3886, Sea Turtle, Kimsuky.