Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands
that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like
ctrl+c and ctrl+d.
攻撃者は、割り込み信号をトリガーに悪意のあるコンテンツを実行することで、永続性を確立することがあります。trapコマンドは、プログラムやシェルが割り込み信号を受信したときに実行されるコマンドを指定することを可能にします。一般的な状況は、ctrl+c や ctrl+d
のような一般的なキーボード割り込みのグレイスフル終了と処理を可能にするスクリプトです。
Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format
trap 'command list' signals where "command list" will be executed when "signals" are received.[1][2]
攻撃者はこれを利用して、永続化メカニズムとして、シェルが特定の割り込みに遭遇したときに実行するコードを登録することができます。トラップコマンドは次のような形式です。
trap 'command list' signals
signals を受信すると、command list が実行されます。
メモ:shellのtrapについて覚え書き
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by an interrupt signal. |
| DS0022 | File | File Creation |
Monitor for newly constructed files that may establish persistence by executing malicious content triggered by an interrupt signal. |
| File Modification |
Monitor for changes made to files that may establish persistence by executing malicious content triggered by an interrupt signal. |
||
| DS0009 | Process | Process Creation |
Monitor newly executed processes that may establish persistence by executing malicious content triggered by an interrupt signal. |