Daemonized process triggered multiple tactics

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1564-hide-artifacts

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

What happened

A process started with nohup or setsid (daemonized execution context) triggered activity mapped to more than two distinct MITRE ATT&CK tactics within the same context.

Goal

Detect potential malware that was deliberately daemonized (nohup/setsid) and then exhibited multiple attack tactics in that context.

Strategy

The execution context rule execution_context_daemonized_process assigns a correlation key to processes started with nohup or setsid. This backend rule counts distinct tactics observed for each such context and triggers when the count exceeds two, indicating diverse malicious behavior (for example, defense evasion, persistence, C2) in a single daemonized tree.

Triage and response

  1. Identify the process that was run with nohup/setsid and its correlation key.
  2. Review the distinct tactics and associated events in that context to confirm malicious intent.
  3. Scope impact (host, user, container) and contain (isolate workload, kill process tree) as needed.
  4. Escalate and document if the activity meets organizational incident criteria.

Requires the execution context Agent rule execution_context_daemonized_process (def-000-i27) to be enabled.