T1546.005 - Event Triggered Execution: Trap
Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap
command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c
and ctrl+d
.
Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals
where "command list" will be executed when "signals" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)
Atomic Tests
Atomic Test #1 - Trap EXIT
Launch bash shell with command arg to create TRAP on EXIT.
The trap executes script that writes to /tmp/art-fish.txt
Supported Platforms: macOS, Linux
auto_generated_guid: a74b2e07-5952-4c03-8b56-56274b076b61
Attack Commands: Run with
!
1
| bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" EXIT'
|
Cleanup Commands:
1
| rm -f /tmp/art-fish.txt
|
Atomic Test #2 - Trap EXIT (freebsd)
Launch bash shell with command arg to create TRAP on EXIT.
The trap executes script that writes to /tmp/art-fish.txt
Supported Platforms: Linux
auto_generated_guid: be1a5d70-6865-44aa-ab50-42244c9fd16f
Attack Commands: Run with
!
1
| bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" EXIT'
|
Cleanup Commands:
1
| rm -f /tmp/art-fish.txt
|
Dependencies: Run with
!
Description: Check if bash is installed.
Check Prereq Commands:
1
| if [ ! -x "$(command -v bash)" ]; then exit 1; else exit 0; fi;
|
Get Prereq Commands:
1
| (which pkg && pkg install -y bash)
|
Atomic Test #3 - Trap SIGINT
Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
The trap executes script that writes to /tmp/art-fish.txt
Supported Platforms: macOS, Linux
auto_generated_guid: a547d1ba-1d7a-4cc5-a9cb-8d65e8809636
Attack Commands: Run with
!
1
| bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" SIGINT && kill -SIGINT $$'
|
Cleanup Commands:
1
| rm -f /tmp/art-fish.txt
|
Atomic Test #4 - Trap SIGINT (freebsd)
Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
The trap executes script that writes to /tmp/art-fish.txt
Supported Platforms: Linux
auto_generated_guid: ade10242-1eac-43df-8412-be0d4c704ada
Attack Commands: Run with
!
1
| bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" SIGINT && kill -SIGINT $$'
|
Cleanup Commands:
1
| rm -f /tmp/art-fish.txt
|
Dependencies: Run with
!
Description: Check if bash is installed.
Check Prereq Commands:
1
| if [ ! -x "$(command -v bash)" ]; then exit 1; else exit 0; fi;
|
Get Prereq Commands:
1
| (which pkg && pkg install -y bash)
|