Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0067: Detection Strategy for Ignore Process Interrupts

DET0067 is a detection strategy placeholder for behavior related to ATT&CK technique T1564.011, Ignore Process Interrupts. The practical risk is that a pro...

EnterpriseDET0067Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0067 is a detection strategy placeholder for behavior related to ATT&CK technique T1564.011, Ignore Process Interrupts. The practical risk is that a process may be started or configured so it keeps running even when a user session ends or when normal interrupt or termination signals are sent. For leaders, this matters because it can reduce the reliability of manual containment, analyst response actions, and some defensive tooling assumptions during an incident.

Executive priority

Prioritize validation where business-critical Linux, macOS, or Windows systems depend on rapid process termination for containment or operational control. Security leaders should ask whether SOC and IR teams can prove they see suspicious process persistence across logoff, hangup, or interrupt events, and whether response playbooks account for processes that ignore normal stop signals. Because the ATT&CK detection strategy has no official detection text, coverage should be treated as something to validate locally, not assumed for audit or compliance evidence.

Technical view

The supplied object has no platform, tactic, description, or detection guidance of its own. Its value comes from the relationship to T1564.011, a stealth technique involving commands or flags that ignore errors, hangups, or process interrupt signals. SOC and detection engineering teams should validate visibility into process creation, parent-child process context, terminal/session association, logoff or hangup events, and process termination attempts on the related platforms: Linux, macOS, and Windows. IR teams should test whether response procedures can identify and stop processes that survive session termination or do not respond to expected interrupts.

Likely telemetry

  • Process creation events with command-line arguments
  • Parent-child process relationships and user/session context
  • Terminal, shell, logon, logoff, hangup, or session close events
  • Process termination attempts and resulting process state
  • Endpoint detection and response process lifecycle telemetry

Detection direction

  • Map DET0067 coverage to T1564.011 rather than relying on the detection strategy object alone, because no official detection logic is supplied.
  • Look for processes that continue running after the associated interactive session, terminal, or parent shell exits, especially when command-line context indicates signal or hangup handling.
  • Tune carefully for legitimate administrative, service-management, job-control, and long-running workload patterns that may intentionally survive logout or interruption.
  • Validate whether telemetry captures both the attempted interrupt or termination event and the process outcome; without both, analysts may miss failed containment attempts.
  • Review alert triage workflows for cases where an analyst assumes a process was stopped but endpoint telemetry shows it persisted.

Mitigation priorities

  • Establish baseline knowledge of legitimate long-running processes, service managers, scheduled jobs, and administrative patterns that ignore hangups or interrupts.
  • Ensure endpoint logging and EDR configuration preserve process command line, session context, and process lifecycle details on Linux, macOS, and Windows where applicable.
  • Update incident response playbooks to verify process termination through independent telemetry rather than relying only on command success or session closure.
  • Use least privilege and administrative control review to limit who can launch or manage resilient background processes on critical systems.
  • For audit and compliance readiness, document tested detection and response evidence rather than citing DET0067 as proof of implemented coverage.
Analyst notes and limits

This take is based on the DET0067 detection strategy object and its relationship to T1564.011, Ignore Process Interrupts. The object itself does not provide official detection text, platforms, or tactics; the related technique supplies the behavior context, related platforms, and stealth tactic. Treat this as a validation prompt for SOC, IR, and detection engineering rather than a ready-made analytic.

Official ATT&CK fields for DET0067 are sparse: no description, no detection guidance, no object-level platforms, and no object-level tactics are provided. Local operating system mix, EDR/audit configuration, administrative practices, and incident response tooling determine whether meaningful detection or containment evidence exists.

Official MITRE ATT&CK definition

Detection Strategy for Ignore Process Interrupts

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1564.011 Ignore Process Interrupts Sub-technique This object detects Ignore Process Interrupts.
Relationship explorer

All related ATT&CK context

detects · Technique T1564.011: Ignore Process Interrupts Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
07bb2cbdb4dca26a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 07bb2cbdb4dc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0067
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use