administrators or installed processes that leverage nohup

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml>sigma
technicques: t1059 t1059.004

Techniques

Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments

condition: selection
selection:
  Image|endswith: /nohup