security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1546.005/T1546.005.md
T
Atomic Red Team doc generator 5ede8f21e4 Generated docs from job=generate-docs branch=master [ci skip]
2025-02-13 22:03:40 +00:00

178 lines
3.6 KiB
Markdown
Raw Permalink Blame History

# T1546.005 - Event Triggered Execution: Trap
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/005)
<blockquote>
Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.
Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format <code>trap 'command list' signals</code> where "command list" will be executed when "signals" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Trap EXIT](#atomic-test-1---trap-exit)
- [Atomic Test #2 - Trap EXIT (freebsd)](#atomic-test-2---trap-exit-freebsd)
- [Atomic Test #3 - Trap SIGINT](#atomic-test-3---trap-sigint)
- [Atomic Test #4 - Trap SIGINT (freebsd)](#atomic-test-4---trap-sigint-freebsd)
<br/>
## Atomic Test #1 - Trap EXIT
Launch bash shell with command arg to create TRAP on EXIT.
The trap executes script that writes to /tmp/art-fish.txt
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** a74b2e07-5952-4c03-8b56-56274b076b61
#### Attack Commands: Run with `sh`!
```sh
bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" EXIT'
```
#### Cleanup Commands:
```sh
rm -f /tmp/art-fish.txt
```
<br/>
<br/>
## Atomic Test #2 - Trap EXIT (freebsd)
Launch bash shell with command arg to create TRAP on EXIT.
The trap executes script that writes to /tmp/art-fish.txt
**Supported Platforms:** Linux
**auto_generated_guid:** be1a5d70-6865-44aa-ab50-42244c9fd16f
#### Attack Commands: Run with `sh`!
```sh
bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" EXIT'
```
#### Cleanup Commands:
```sh
rm -f /tmp/art-fish.txt
```
#### Dependencies: Run with `sh`!
##### Description: Check if bash is installed.
##### Check Prereq Commands:
```sh
if [ ! -x "$(command -v bash)" ]; then exit 1; else exit 0; fi;
```
##### Get Prereq Commands:
```sh
(which pkg && pkg install -y bash)
```
<br/>
<br/>
## Atomic Test #3 - Trap SIGINT
Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
The trap executes script that writes to /tmp/art-fish.txt
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** a547d1ba-1d7a-4cc5-a9cb-8d65e8809636
#### Attack Commands: Run with `sh`!
```sh
bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" SIGINT && kill -SIGINT $$'
```
#### Cleanup Commands:
```sh
rm -f /tmp/art-fish.txt
```
<br/>
<br/>
## Atomic Test #4 - Trap SIGINT (freebsd)
Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
The trap executes script that writes to /tmp/art-fish.txt
**Supported Platforms:** Linux
**auto_generated_guid:** ade10242-1eac-43df-8412-be0d4c704ada
#### Attack Commands: Run with `sh`!
```sh
bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" SIGINT && kill -SIGINT $$'
```
#### Cleanup Commands:
```sh
rm -f /tmp/art-fish.txt
```
#### Dependencies: Run with `sh`!
##### Description: Check if bash is installed.
##### Check Prereq Commands:
```sh
if [ ! -x "$(command -v bash)" ]; then exit 1; else exit 0; fi;
```
##### Get Prereq Commands:
```sh
(which pkg && pkg install -y bash)
```
<br/>
Reference in New Issue View Git Blame Copy Permalink