blue-team-tools/rules/linux/lnx_trap.yml

title: Trap Command Usage
id: 6faa0d2c-5e4d-431c-b01f-cf447c913e4d 
description: Detects Trap command usage
references:
    - https://attack.mitre.org/techniques/T1154/
author: Ömer Günal
date: 2020/06/17
tags:
    - attack.execution
    - attack.t1154
level: low
logsource:
    product: linux
detection:
    keyword:
        - 'trap *'
    condition: keyword
falsepositives:
    - Legitimate administration activities