T1564.011: Ignore Process Interrupts
Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.[1] These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes.
Adversaries may invoke processes using `nohup`, PowerShell `-ErrorAction SilentlyContinue`, or similar commands that may be immune to hangups.[2][3] This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.
Hiding from process interrupt signals may allow malware to continue execution, but unlike Trap this does not establish Persistence since the process will not be re-invoked once actually terminated.
Analyst context for executives and security teams
Ignore Process Interrupts is a stealth behavior where an adversary starts commands so they keep running when a user logs off, a shell disconnects, errors occur, or an analyst/tool attempts to interrupt the process. For leaders, the business issue is not persistence by itself, but dwell time: malicious activity may continue after a session appears closed, making containment and incident scoping harder across Linux, macOS, and Windows systems.
Executive priority
Prioritize validation where critical workloads, administrative jump hosts, developer systems, and servers rely on shell or PowerShell activity. Executives should ask whether SOC and incident response teams can prove when long-running commands were launched with interrupt-resistant behavior and whether containment playbooks confirm process termination rather than assuming logout or session closure stopped activity. This technique also supports audit and resilience discussions because it tests the organization’s ability to evidence command execution, process lineage, and response effectiveness.
Technical view
ATT&CK lists this as a sub-technique of Hide Artifacts under stealth, with Linux, macOS, and Windows platforms. The supplied description cites examples such as Linux/macOS-style nohup usage and PowerShell -ErrorAction SilentlyContinue or similar behavior. SOC and IR teams should validate visibility into process creation command lines, shell and PowerShell execution, parent-child relationships, session/logoff events, and process duration after session termination. Because no official ATT&CK detection text is provided, use the related DET0067 detection strategy as a cue to build or review local analytics rather than assuming coverage exists.
Likely telemetry
- Process creation events with full command line and parent process context
- Shell execution history or audit logs on Linux and macOS where available
- PowerShell command, script block, module, and transcript logging where enabled
- Session start, disconnect, logout, and terminal hangup-related events
- Process lifetime data showing commands that continue after parent shell or user session ends
Detection direction
- Look for commands launched with interrupt-resistant semantics such as nohup or PowerShell error-suppression patterns, but tune carefully because administrators and automation commonly use similar options for legitimate long-running jobs.
- Correlate process start time, parent shell, user session, logout/disconnect events, and continued process execution to distinguish routine background tasks from suspicious activity.
- Prioritize unusual use by interactive users, unexpected directories, uncommon parent processes, or processes that maintain network activity after the controlling session ends.
- Validate that command-line capture is complete; without full arguments, this behavior can be difficult to distinguish from normal process execution.
- Use relationship context to inform threat hunting: ATT&CK links this technique to multiple groups and software entries, including Kimsuky, Sea Turtle, UNC3886, OSX/Shlayer, GoldMax, BPFDoor, BOLDMOVE, and Shai-Hulud, but local evidence is required before drawing attribution conclusions.
Mitigation priorities
- Ensure endpoint logging captures process command lines and PowerShell activity before relying on detections for this technique.
- Harden administrative practices by limiting unnecessary interactive shell access, enforcing least privilege, and reviewing who can run long-lived background commands on critical systems.
- For Windows, enable appropriate PowerShell logging and monitor error-suppression usage in administrative and automation contexts.
- For Linux and macOS, monitor shell-launched background or hangup-resistant execution on sensitive hosts and review authorized automation patterns to reduce false positives.
- Update incident response playbooks so containment verifies process termination and follow-on activity, rather than assuming closing a session, disconnecting a shell, or ending a C2 channel stopped execution.
Analyst notes and limits
This behavior is material because it can make malicious execution survive operational events that defenders may casually treat as containment boundaries. It does not establish persistence according to the official ATT&CK description, because the process is not re-invoked once actually terminated. Treat it as a stealth and resilience-of-execution behavior, not as proof of persistence or attribution.
The official ATT&CK object does not provide detection guidance, and the relationship to DET0067 is named but not detailed in the supplied fields. Telemetry and control recommendations therefore require local validation. The supplied platforms are Linux, macOS, and Windows; other platform references appear only in related objects and should not be assumed for this sub-technique without additional evidence.
Ignore Process Interrupts
Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.[1] These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes.
Adversaries may invoke processes using `nohup`, PowerShell `-ErrorAction SilentlyContinue`, or similar commands that may be immune to hangups.[2][3] This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.
Hiding from process interrupt signals may allow malware to continue execution, but unlike Trap this does not establish Persistence since the process will not be re-invoked once actually terminated.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1564 | Hide Artifacts | This object subtechnique of Hide Artifacts. |
Groups, software, and campaigns
G1048: UNC3886
UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.[1][2]
G1041: Sea Turtle
Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.[1][2][3][4]
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
S0588: GoldMax
GoldMax is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. GoldMax was discovered in early 2021 during the investigation into the SolarWinds Compromise, and has likely been used by APT29 since at least mid-2019. GoldMax uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.[1][2][3]
S1184: BOLDMOVE
BOLDMOVE is a type of backdoor malware written in C linked to People’s Republic of China operations from 2022 through 2023. BOLDMOVE includes both Windows and Linux variants, with some Linux variants specifically designed for FortiGate Firewall devices. BOLDMOVE is linked to zero-day exploitation of CVE-2022-42475 in FortiOSS SSL-VPNs.[1] The record for BOLDMOVE only covers known Linux variants.
S9008: Shai-Hulud
Shai-Hulud is a supply chain worm, first reported in September 2025, that spreads through code repositories, including GitHub and NPM packages. It exploits CI/CD pipeline dependencies to propagate to victims and poisons the supply chain by publishing malicious packages. Once inside a victim environment, Shai-Hulud steals credentials and access tokens from compromised repository accounts and exfiltrates them to attacker-controlled servers via encoded GitHub Actions workflows.[1][2][3][4][5][6][7]
S0402: OSX/Shlayer
OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.[1][2]
S1161: BPFDoor
BPFDoor is a Linux based passive long-term backdoor used by China-based threat actors. First seen in 2021, BPFDoor is named after its usage of Berkley Packet Filter (BPF) to execute single task instructions. BPFDoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP and can start local or reverse shells that bypass firewalls using iptables.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 7efa782e23fa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Linux Signal Man
Linux man-pages. (2023, April 3). signal(7). Retrieved August 30, 2023.
Open source URL -
[2]
nohup Linux Man
Meyering, J. (n.d.). nohup(1). Retrieved August 30, 2023.
Open source URL -
[3]
Microsoft PowerShell SilentlyContinue
Microsoft. (2023, March 2). $DebugPreference. Retrieved August 30, 2023.
Open source URL -
[4]
mitre-attack T1564.011Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.