Esc
Trap - T1546.005
(ATT&CK® Technique)
Definition
Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1546005["Trap"] --> |executes| Command["Command"]; class T1546005 OffensiveTechniqueNode;
class Command ArtifactNode; click Command href "/dao/artifact/d3f:Command";
click T1546005 href "/offensive-technique/attack/T1546.005/"; click Command href "/dao/artifact/d3f:Command"; T1546005["Trap"] --> |modifies| EventLog["Event Log"]; class T1546005 OffensiveTechniqueNode;
class EventLog ArtifactNode; click EventLog href "/dao/artifact/d3f:EventLog";
click T1546005 href "/offensive-technique/attack/T1546.005/"; click EventLog href "/dao/artifact/d3f:EventLog"; T1546005["Trap"] --> |may-create| ExecutableScript["Executable Script"]; class T1546005 OffensiveTechniqueNode;
class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript";
click T1546005 href "/offensive-technique/attack/T1546.005/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; T1546005["Trap"] --> |may-modify| ExecutableScript["Executable Script"]; class T1546005 OffensiveTechniqueNode;
class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript";
click T1546005 href "/offensive-technique/attack/T1546.005/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableScript["Executable Script"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1546005["Trap"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1546005["Trap"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableScript["Executable Script"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1546005["Trap"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableScript["Executable Script"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1546005["Trap"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1546005["Trap"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableScript["Executable Script"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1546005["Trap"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableScript["Executable Script"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1546005["Trap"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; FileEviction["File Eviction"] -->
| deletes | ExecutableScript["Executable Script"];
FileEviction["File Eviction"] -.->
| may-evict | T1546005["Trap"] ;
class FileEviction DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableScript["Executable Script"];
FileEncryption["File Encryption"] -.->
| may-harden | T1546005["Trap"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1546005["Trap"] ;
class FileAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RestoreFile["Restore File"] -->
| restores | ExecutableScript["Executable Script"];
RestoreFile["Restore File"] -.->
| may-restore | T1546005["Trap"] ;
class RestoreFile DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableScript["Executable Script"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1546005["Trap"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";