T1546.005
Event Triggered Execution: Trap
Description from ATT&CK
Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The
trapcommand allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts likectrl+candctrl+d.Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format
trap 'command list' signalswhere "command list" will be executed when "signals" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)
Atomic Tests
- Atomic Test #1: Trap EXIT
- Atomic Test #2: Trap EXIT (freebsd)
- Atomic Test #3: Trap SIGINT
- Atomic Test #4: Trap SIGINT (freebsd)
Atomic Test #1: Trap EXIT
Launch bash shell with command arg to create TRAP on EXIT. The trap executes script that writes to /tmp/art-fish.txt
Supported Platforms: macOS, Linux
auto_generated_guid: a74b2e07-5952-4c03-8b56-56274b076b61
Attack Commands: Run with sh!
bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" EXIT'Cleanup Commands
rm -f /tmp/art-fish.txtAtomic Test #2: Trap EXIT (freebsd)
Launch bash shell with command arg to create TRAP on EXIT. The trap executes script that writes to /tmp/art-fish.txt
Supported Platforms: Linux
auto_generated_guid: be1a5d70-6865-44aa-ab50-42244c9fd16f
Attack Commands: Run with sh!
bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" EXIT'Cleanup Commands
rm -f /tmp/art-fish.txtDependencies: Run with sh!
Description: Check if bash is installed.
Check Prereq Commands
if [ ! -x "$(command -v bash)" ]; then exit 1; else exit 0; fi;Get Prereq Commands
(which pkg && pkg install -y bash)Atomic Test #3: Trap SIGINT
Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal. The trap executes script that writes to /tmp/art-fish.txt
Supported Platforms: macOS, Linux
auto_generated_guid: a547d1ba-1d7a-4cc5-a9cb-8d65e8809636
Attack Commands: Run with sh!
bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" SIGINT && kill -SIGINT $$'Cleanup Commands
rm -f /tmp/art-fish.txtAtomic Test #4: Trap SIGINT (freebsd)
Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal. The trap executes script that writes to /tmp/art-fish.txt
Supported Platforms: Linux
auto_generated_guid: ade10242-1eac-43df-8412-be0d4c704ada
Attack Commands: Run with sh!
bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" SIGINT && kill -SIGINT $$'Cleanup Commands
rm -f /tmp/art-fish.txtDependencies: Run with sh!
Description: Check if bash is installed.
Check Prereq Commands
if [ ! -x "$(command -v bash)" ]; then exit 1; else exit 0; fi;Get Prereq Commands
(which pkg && pkg install -y bash)Atomic test(s) for this technique last updated: 2023-11-06 22:41:43 UTC