Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0181: Analytic 0181

Execution of processes using nohup or shell redirection to ignore SIGHUP and continue running after session termination. Defender perspective: correlation between commands including nohup, disowned jobs, or `&` suffix with continued process execution after parent terminal exit.

EnterpriseAN0181AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about Linux processes deliberately kept running after a user session or terminal ends, such as through nohup, disowned jobs, shell redirection, or background execution. For leaders, the value is not that these commands are always malicious; it is that persistent post-session execution can blur accountability, complicate incident scoping, and hide activity that outlives the authenticated session that started it.

Executive priority

Prioritize this as a Linux monitoring and incident-readiness validation item. Security leaders should ask whether SOC and IR teams can connect a long-running process back to the user session, terminal, shell, and command line that launched it. This matters for operational resilience and audit evidence because legitimate administration, automation, and suspicious persistence-like behavior may look similar without process lineage and session telemetry.

Technical view

For Linux environments, validate whether detection content can correlate command lines containing nohup, disown-style job handling, shell redirection, or background execution indicators with continued child process execution after the parent terminal or session exits. Because ATT&CK provides no separate official detection text and no relationship context for this analytic, teams should treat it as a behavioral correlation requirement rather than a standalone signature. Useful validation should focus on process start events, command-line capture, parent-child process lineage, terminal/session identifiers, user context, and process lifetime after session termination.

Likely telemetry

  • Linux process creation events with full command line
  • Parent-child process lineage and process identifiers
  • User, UID, login session, terminal, or pseudo-terminal context
  • Shell execution history where centrally collected and policy-compliant
  • Process termination and lifetime events

Detection direction

  • Confirm that Linux endpoint or audit telemetry captures full command lines; without command-line visibility this analytic is likely weak.
  • Correlate launch-time indicators such as nohup, disowned jobs, shell redirection, or background execution with process survival after the launching terminal or session exits.
  • Tune against expected administrative and operational patterns, such as scheduled maintenance, service wrappers, batch jobs, and legitimate long-running user tasks.
  • Avoid treating nohup or background execution alone as high severity; prioritize cases with unusual users, unusual working directories, sensitive hosts, unexpected binaries, or weak lineage.
  • Validate that SOC workflows preserve enough session and process lineage to support incident reconstruction, not only alert generation.

Mitigation priorities

  • Establish a baseline of legitimate Linux administrative and automation patterns that use persistent post-session execution.
  • Ensure Linux endpoint logging or audit configuration captures process command line, user context, parent process, and session details where appropriate.
  • Define operational policy for acceptable long-running user-launched processes on critical systems.
  • Use least privilege and access governance to reduce unnecessary interactive Linux access on sensitive hosts.
  • Prepare IR playbooks to investigate orphaned or long-running processes by linking process, user, session, and host evidence.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, AN0181, for Linux. It describes defender-side correlation around processes launched with nohup, disowned/backgrounded shell jobs, or shell redirection that continue after parent terminal exit. No tactics, relationships, aliases, labels, or official detection section were supplied, so the take focuses on practical validation and telemetry requirements rather than mapped technique coverage.

This assessment is limited to the supplied STIX fields and external reference. It does not establish maliciousness, active exploitation, attribution, or guaranteed detection coverage. Local baselines are required because the described behavior is common in legitimate Linux administration and automation.

Official MITRE ATT&CK definition

Analytic 0181

Execution of processes using nohup or shell redirection to ignore SIGHUP and continue running after session termination. Defender perspective: correlation between commands including nohup, disowned jobs, or `&` suffix with continued process execution after parent terminal exit.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
76dff6e54c8957c3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 76dff6e54c89…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0181
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use