Daemonized process triggered multiple tactics
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
What happened
A process started with nohup or setsid (daemonized execution context) triggered activity mapped to more than two distinct MITRE ATT&CK tactics within the same context.
Goal
Detect potential malware that was deliberately daemonized (nohup/setsid) and then exhibited multiple attack tactics in that context.
Strategy
The execution context rule execution_context_daemonized_process assigns a correlation key to processes started with nohup or setsid. This backend rule counts distinct tactics observed for each such context and triggers when the count exceeds two, indicating diverse malicious behavior (for example, defense evasion, persistence, C2) in a single daemonized tree.
Triage and response
- Identify the process that was run with nohup/setsid and its correlation key.
- Review the distinct tactics and associated events in that context to confirm malicious intent.
- Scope impact (host, user, container) and contain (isolate workload, kill process tree) as needed.
- Escalate and document if the activity meets organizational incident criteria.
Requires the execution context Agent rule execution_context_daemonized_process (def-000-i27) to be enabled.
