1. Home
  2. Techniques
  3. Enterprise
  4. Event Triggered Execution
  5. Trap

Event Triggered Execution: Trap

ID Name
T1546.001 Change Default File Association
T1546.002 Screensaver
T1546.003 Windows Management Instrumentation Event Subscription
T1546.004 Unix Shell Configuration Modification
T1546.005 Trap
T1546.006 LC_LOAD_DYLIB Addition
T1546.007 Netsh Helper DLL
T1546.008 Accessibility Features
T1546.009 AppCert DLLs
T1546.010 AppInit DLLs
T1546.011 Application Shimming
T1546.012 Image File Execution Options Injection
T1546.013 PowerShell Profile
T1546.014 Emond
T1546.015 Component Object Model Hijacking
T1546.016 Installer Packages
T1546.017 Udev Rules
T1546.018 Python Startup Hooks

Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.

Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where "command list" will be executed when "signals" are received.[1][2]

ID: T1546.005
Sub-technique of:  T1546
Platforms: Linux, macOS
Version: 1.1
Created: 24 January 2020
Last Modified: 24 October 2025
Version Permalink

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0369 Detection Strategy for Event Triggered Execution via Trap (T1546.005) AN1038

Correlate file modifications in shell startup scripts (e.g., .bashrc, .profile) with embedded trap commands and observe if those changes are followed by the unexpected execution of child processes when terminal signals (e.g., SIGINT) are triggered. Use contextual linking with user session activity to detect privilege misuse.
AN1039

Detect unauthorized trap command registrations in shell startup files (e.g., .zprofile, .bash_profile, .zshrc) followed by execution chains during user terminal interaction. Use Unified Logs and EDR telemetry to correlate shell command parsing and process tree anomalies.

References

  1. ss64. (n.d.). trap. Retrieved May 21, 2019.
  1. Cyberciti. (2016, March 29). Trap statement. Retrieved May 21, 2019.