title: Nohup Execution
id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
status: experimental
description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
references:
  - https://gtfobins.github.io/gtfobins/nohup/
  - https://en.wikipedia.org/wiki/Nohup
  - https://www.computerhope.com/unix/unohup.htm
date: 2022/06/06
logsource:
  product: linux
  category: process_creation
detection:
  selection:
    Image|endswith: '/nohup'
  condition: selection
falsepositives:
  - Administrators or installed processes that leverage nohup
level: medium