T1546.005

Event Triggered Execution: Trap

Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.

攻撃者は、割り込み信号をトリガーに悪意のあるコンテンツを実行することで、永続性を確立することがあります。trapコマンドは、プログラムやシェルが割り込み信号を受信したときに実行されるコマンドを指定することを可能にします。一般的な状況は、ctrl+c や ctrl+d のような一般的なキーボード割り込みのグレイスフル終了と処理を可能にするスクリプトです。

Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where "command list" will be executed when "signals" are received.[1][2]

攻撃者はこれを利用して、永続化メカニズムとして、シェルが特定の割り込みに遭遇したときに実行するコードを登録することができます。トラップコマンドは次のような形式です。
trap 'command list' signals
signals を受信すると、command list が実行されます。

メモ:shellのtrapについて覚え書き

ID: T1546.005
Sub-technique of:  T1546
Platforms: Linux, macOS
Permissions Required: Administrator, User
Version: 1.0
Created: 24 January 2020
Last Modified: 24 March 2020

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by an interrupt signal.

DS0022 File File Creation

Monitor for newly constructed files that may establish persistence by executing malicious content triggered by an interrupt signal.

    File Modification

Monitor for changes made to files that may establish persistence by executing malicious content triggered by an interrupt signal.

DS0009 Process Process Creation

Monitor newly executed processes that may establish persistence by executing malicious content triggered by an interrupt signal.

References