Hide Artifacts: Ignore Process Interrupts

Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.[1] These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes.

Adversaries may invoke processes using nohup, PowerShell -ErrorAction SilentlyContinue, or similar commands that may be immune to hangups.[2][3] This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.

Hiding from process interrupt signals may allow malware to continue execution, but unlike Trap this does not establish Persistence since the process will not be re-invoked once actually terminated.

ID: T1564.011
Sub-technique of:  T1564
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Viren Chaudhari, Qualys
Version: 1.0
Created: 24 August 2023
Last Modified: 06 November 2023

Procedure Examples

ID Name Description
S0588 GoldMax

The GoldMax Linux variant has been executed with the nohup command to ignore hangup signals and continue to run if the terminal session was terminated.[4]

S0402 OSX/Shlayer

OSX/Shlayer has used the nohup command to instruct executed payloads to ignore hangup signals.[5]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments, such as nohup, that may attempt to hide processes from interrupt signals.

DS0009 Process Process Creation

Monitor newly created processes for artifacts, such as nohup or PowerShell -ErrorAction SilentlyContinue, that may attempt to hide processes from interrupt signals.