T1546.005: Trap
Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.
Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where "command list" will be executed when "signals" are received.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
unix_mitre_attck_execution: PT-CR-1021: Unix_Suspicious_Command: Suspicious commands were executed on a Unix host
Detection
| ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for newly constructed files that may establish persistence by executing malicious content triggered by an interrupt signal. |
|---|
| ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes that may establish persistence by executing malicious content triggered by an interrupt signal. |
|---|
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by an interrupt signal. |
|---|
| ID | DS0022 | Data source and component | File: File Modification | Description | Monitor for changes made to files that may establish persistence by executing malicious content triggered by an interrupt signal. |
|---|