Ctrl+K

T1546.005 - Trap

T1546.005 - Trap#

Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.

Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap ‘command list’ signals where “command list” will be executed when “signals” are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)

Atomic Tests#

Atomic Test #1 - Trap EXITLaunch bash shell with command arg to create TRAP on EXIT.#

The trap executes script that writes to /tmp/art-fish.txt Supported Platforms: macos, linux#### Attack Commands: Run with sh

bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" EXIT'

Invoke-AtomicTest T1546.005 -TestNumbers 1

Cleanup:#

rm -f /tmp/art-fish.txt

Invoke-AtomicTest T1546.005 -TestNumbers 1 -Cleanup

Atomic Test #2 - Trap EXIT (freebsd)#

Launch bash shell with command arg to create TRAP on EXIT. The trap executes script that writes to /tmp/art-fish.txt

Supported Platforms: linux

Dependencies: Run with sh!#

Description: Check if bash is installed.#
Check Prereq Commands:#
if [ ! -x "$(command -v bash)" ]; then exit 1; else exit 0; fi;
Get Prereq Commands:#
(which pkg && pkg install -y bash)

Invoke-AtomicTest T1546.005 -TestNumbers 2 -GetPreReqs

Attack Commands: Run with sh#

bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" EXIT'

Invoke-AtomicTest T1546.005 -TestNumbers 2

Cleanup:#

rm -f /tmp/art-fish.txt

Invoke-AtomicTest T1546.005 -TestNumbers 2 -Cleanup

Atomic Test #3 - Trap SIGINTLaunch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.#

The trap executes script that writes to /tmp/art-fish.txt Supported Platforms: macos, linux#### Attack Commands: Run with sh

bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" SIGINT && kill -SIGINT $$'

Invoke-AtomicTest T1546.005 -TestNumbers 3

Cleanup:#

rm -f /tmp/art-fish.txt

Invoke-AtomicTest T1546.005 -TestNumbers 3 -Cleanup

Atomic Test #4 - Trap SIGINT (freebsd)#

Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal. The trap executes script that writes to /tmp/art-fish.txt

Supported Platforms: linux

Dependencies: Run with sh!#

Description: Check if bash is installed.#
Check Prereq Commands:#
if [ ! -x "$(command -v bash)" ]; then exit 1; else exit 0; fi;
Get Prereq Commands:#
(which pkg && pkg install -y bash)

Invoke-AtomicTest T1546.005 -TestNumbers 4 -GetPreReqs

Attack Commands: Run with sh#

bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" SIGINT && kill -SIGINT $$'

Invoke-AtomicTest T1546.005 -TestNumbers 4

Cleanup:#

rm -f /tmp/art-fish.txt

Invoke-AtomicTest T1546.005 -TestNumbers 4 -Cleanup

Detection#

Trap commands must be registered for the shell or programs, so they appear in files. Monitoring files for suspicious or overly broad trap commands can narrow down suspicious behavior during an investigation. Monitor for suspicious processes executed through trap interrupts.

Contents