---
title: Daemonized process triggered multiple tactics
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Daemonized process triggered multiple
  tactics
---

# Daemonized process triggered multiple tactics
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1564-hide-artifacts](https://attack.mitre.org/techniques/T1564) 
## What happened{% #what-happened %}

A process started with nohup or setsid (daemonized execution context) triggered activity mapped to more than two distinct MITRE ATT&CK tactics within the same context.

## Goal{% #goal %}

Detect potential malware that was deliberately daemonized (nohup/setsid) and then exhibited multiple attack tactics in that context.

## Strategy{% #strategy %}

The execution context rule `execution_context_daemonized_process` assigns a correlation key to processes started with nohup or setsid. This backend rule counts distinct tactics observed for each such context and triggers when the count exceeds two, indicating diverse malicious behavior (for example, defense evasion, persistence, C2) in a single daemonized tree.

## Triage and response{% #triage-and-response %}

1. Identify the process that was run with nohup/setsid and its correlation key.
1. Review the distinct tactics and associated events in that context to confirm malicious intent.
1. Scope impact (host, user, container) and contain (isolate workload, kill process tree) as needed.
1. Escalate and document if the activity meets organizational incident criteria.

*Requires the execution context Agent rule `execution_context_daemonized_process` (def-000-i27) to be enabled.*