T1546.005SubTechniqueprivilege-escalationpersistenceagent-callable

T1546.005Trap

Sub-technique of T1546

Platforms: macOS · Linux

ATT&CK version: 14.1

What it is

Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>. Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format <code>trap 'command list' signals</code> where "command list" will be executed when "signals" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)

ATT&CK tactics· 2

Privilege EscalationPersistence

References

  1. https://attack.mitre.org/techniques/T1546/005
  2. https://ss64.com/bash/trap.html
  3. https://bash.cyberciti.biz/guide/Trap_statement
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.