Detect Trap in IBM QRadar
Adversaries may establish persistence by executing malicious content triggered by an interrupt signal using the trap command. The trap command is used in Unix/Linux shell scripting to specify commands that will execute when the shell receives a particular signal. Adversaries can abuse the trap command to establish persistence that executes when the shell or system receives specific signals such as EXIT (when the shell exits), ERR (on error), or signal numbers like SIGINT (2), SIGHUP (1), or SIGTERM (15). The trap command can be placed in shell initialization files to execute malicious commands whenever a user session ends or encounters an error.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.005 Trap
- Canonical reference
- https://attack.mitre.org/techniques/T1546/005/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourceid,
LOGSOURCETYPENAME(logsourceid) AS log_source_type,
sourceip,
username,
QIDNAME(qid) AS event_name,
"UTF8"(payload) AS raw_payload
FROM events
WHERE
devicetime > (CURRENT_TIMESTAMP - 86400000)
AND LOWER("UTF8"(payload)) LIKE '%trap%'
AND (
"UTF8"(payload) LIKE '%EXIT%'
OR "UTF8"(payload) LIKE '%SIGTERM%'
OR "UTF8"(payload) LIKE '%SIGHUP%'
OR "UTF8"(payload) LIKE '%SIGINT%'
OR "UTF8"(payload) LIKE '%ERR%'
)
AND (
LOWER("UTF8"(payload)) LIKE '%curl%'
OR LOWER("UTF8"(payload)) LIKE '%wget%'
OR LOWER("UTF8"(payload)) LIKE '%/dev/tcp%'
OR LOWER("UTF8"(payload)) LIKE '%bash -i%'
OR LOWER("UTF8"(payload)) LIKE '%base64%'
OR LOWER("UTF8"(payload)) LIKE '%python%'
OR LOWER("UTF8"(payload)) LIKE '%perl%'
OR LOWER("UTF8"(payload)) LIKE '%ncat%'
OR LOWER("UTF8"(payload)) LIKE '%eval%'
)
AND LOGSOURCETYPENAME(logsourceid) IN ('Linux OS', 'Linux Auth', 'Syslog')
ORDER BY devicetime DESCAQL query scanning Linux syslog and auth log sources for shell process invocations that include both a trap signal handler (EXIT, SIGTERM, SIGHUP, SIGINT, ERR) and a suspicious payload indicator (curl, wget, /dev/tcp, bash -i, base64, python, perl, ncat, eval). Matches T1546.005 persistence abuse via signal-triggered shell callbacks.
Data Sources
Required Tables
False Positives & Tuning
- Automated deployment scripts that register cleanup traps and also download configuration or notify remote URLs upon exit
- Container entrypoint scripts that use trap EXIT with curl-based health reporting to orchestration platforms
- Penetration testing tools or CTF environments where trap-based reverse shell examples are executed legitimately
Other platforms for T1546.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Establish EXIT Trap in Interactive Shell
Expected signal: Process creation event for bash with command line containing 'trap' and 'EXIT'. The curl invocation in the trap payload. When the shell exits, a child process for curl is spawned by the shell process.
- Test 2Add SIGTERM Trap to Shell Config
Expected signal: File modification event for ~/.bashrc. Process creation for bash writing the trap via echo. The trap payload in the file contains wget and chmod+execute pattern — high severity indicator.
- Test 3Trap ERR Signal for Stealthy Execution
Expected signal: Process creation for bash -c with trap ERR in command. The ls command fails with non-zero exit (directory doesn't exist), triggering the ERR trap. Child process (echo) spawned from the bash session. File creation event for /tmp/trap_test.txt.
Unlock Pro Content
Get the full detection package for T1546.005 including response playbook, investigation guide, and atomic red team tests.