Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. Thetrapcommand allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts likectrl+candctrl+d.Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format
trap 'command list' signalswhere "command list" will be executed when "signals" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)
After exiting the shell, the script will download and execute. After sending a keyboard interrupt (CTRL+C) the script will download and execute.
Supported Platforms: macOS, Linux
trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" EXIT
exit
trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" SIGINt