T1059.004 Suspicious Nohup Execution

T1059.004 - Suspicious Nohup Execution

DESCRIPTION

Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments.

Example:

nohup ./xxx.sh RESPONSE_FILE=/xxxxx/product/tmp

Related

GobRAT Malware LOLBins

Reference:

https://github.com/SigmaHQ/sigma/blob/68511f711fae7a1417fc7a782684fb1f01eefeea/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml#L18
https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
https://www.digitalocean.com/community/tutorials/nohup-command-in-linux

ATT&CK TACTICS

T1059.004 - Command and Scripting Interpreter: Unix Shell

Data Source(s): Command, Process

SENTINEL RULE QUERY

DeviceProcessEvents 
| where ActionType == 'ProcessCreated'
| where FolderPath endswith '/nohup' and ProcessCommandLine contains '/tmp/'
//| summarize count(), num_distinctDevices = dcount(DeviceName), set_ProcessCMD=make_set(ProcessCommandLine), set_InitiatingProcessCMD=make_set(InitiatingProcessCommandLine), first_ = min(TimeGenerated), last_ = max(TimeGenerated) by InitiatingProcessFolderPath, InitiatingProcessFileName, FolderPath, FileName, AccountName, TenantId 

Triage

Verify whether execution of nohup command in tmp folder is expected or approved Analyse the account involved with nohup activity and determine whether is compromised

FalsePositive

• Administrators or installed processes that leverage nohup

VERSION

Version 1.0 (date: 18/03/2024)