Ignore Process Interrupts

Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hang-ups, such as when the user of the active session logs off. These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes.

Adversaries may invoke processes using nohup, PowerShell -ErrorAction SilentlyContinue, or similar commands that may be immune to hangups. This may enable malicious commands and malware to continue execution, such as users logging off or the termination of its C2 network connection.

Hiding from process interrupt signals may allow malware to continue execution, but unlike Trap this does not establish Persistence since the process will not be re-invoked once actually terminated.

In the example below the nohup command was utilized then a socat 1 liner reverse shell, is functioning properly as the shell was actually caught by our listener and if the user is trying to cancel with a command KILL switch key bind but it's not killed

PreviousHidden Users NextFile/Path Exclusions

Last updated 4 days ago

Was this helpful?