1. Home
  2. Detection Strategies
  3. Detection Strategy for Ignore Process Interrupts

Detection Strategy for Ignore Process Interrupts

Technique Detected:  Ignore Process Interrupts | T1564.011

ID: DET0067
Domains: Enterprise
Analytics: AN0181, AN0182, AN0183
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0181

Execution of processes using nohup or shell redirection to ignore SIGHUP and continue running after session termination. Defender perspective: correlation between commands including nohup, disowned jobs, or & suffix with continued process execution after parent terminal exit.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL execve call including 'nohup' or trailing '&'
Process Creation (DC0032) auditd:SYSCALL process persists beyond parent shell termination
Mutable Elements
Field Description
IgnoredSignals Specific signals to monitor (e.g., SIGHUP, SIGINT) depending on environment baseline.
ProcessLifetimeThreshold Duration a process continues running after session logout, adjustable to reduce noise from benign long-lived jobs.

AN0182

PowerShell or script execution with parameters that suppress errors or ignore user interrupts, such as -ErrorAction SilentlyContinue. Defender perspective: detecting discrepancies between suppressed error arguments and continued execution behavior.

Log Sources
Data Component Name Channel
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4104
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
MonitoredCmdlets List of PowerShell cmdlets where suppressed error handling is suspicious (e.g., Invoke-Expression, Invoke-WebRequest).
ErrorActionThreshold Frequency of suppressed error actions within time window that should trigger detection.

AN0183

Use of nohup, disown, or AppleScript constructs to suppress process interrupts. Defender perspective: commands containing nohup or hidden background tasks (osascript with persistent execution) correlated with processes surviving user logouts.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog nohup, disown, or osascript execution patterns
Process Creation (DC0032) macos:unifiedlog background process persists beyond user logout
Mutable Elements
Field Description
WatchedShells Shells or interpreters where nohup/disown usage is suspicious, configurable to environment.
PersistenceCorrelationWindow Time window to correlate process continuation after logout with suspicious commands.