Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments.
nohup ./xxx.sh RESPONSE_FILE=/xxxxx/product/tmp
GobRAT Malware LOLBins
https://github.com/SigmaHQ/sigma/blob/68511f711fae7a1417fc7a782684fb1f01eefeea/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml#L18
https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
https://www.digitalocean.com/community/tutorials/nohup-command-in-linux
{{ mitre("T1059.004")}}
Data Source(s): Command, Process
DeviceProcessEvents
| where ActionType == 'ProcessCreated'
| where FolderPath endswith '/nohup' and ProcessCommandLine contains '/tmp/'
//| summarize count(), num_distinctDevices = dcount(DeviceName), set_ProcessCMD=make_set(ProcessCommandLine), set_InitiatingProcessCMD=make_set(InitiatingProcessCommandLine), first_ = min(TimeGenerated), last_ = max(TimeGenerated) by InitiatingProcessFolderPath, InitiatingProcessFileName, FolderPath, FileName, AccountName, TenantId
Verify whether execution of nohup command in tmp folder is expected or approved Analyse the account involved with nohup activity and determine whether is compromised
- Administrators or installed processes that leverage nohup
Version 1.0 (date: 18/03/2024)