Try it using Invoke-Atomic

Event Triggered Execution: Trap

Description from ATT&CK

Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.

Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where "command list" will be executed when "signals" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)

Atomic Tests

Atomic Test #1 - Trap

After exiting the shell, the script will download and execute. After sending a keyboard interrupt (CTRL+C) the script will download and execute.

Supported Platforms: macos,linux

auto_generated_guid: a74b2e07-5952-4c03-8b56-56274b076b61

Inputs:

None

Attack Commands: Run with sh!

1
2
3
4
trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" EXIT
exit
trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" SIGINt

source