title: Trap (T1546.005)
id: df00tech-t1546-005
status: experimental
description: "Adversaries may establish persistence by executing malicious content triggered by an interrupt signal using the trap command. The trap command is used in Unix/Linux shell scripting to specify commands that will execute when the shell receives a particular signal. Adversaries can abuse the trap command to establish persistence that executes when the shell or system receives specific signals such as EXIT (when the shell exits), ERR (on error), or signal numbers like SIGINT (2), SIGHUP (1), or SIGTERM (15). The trap command can be placed in shell initialization files to execute malicious commands whenever a user session ends or encounters an error."
references:
  - https://attack.mitre.org/techniques/T1546/005/
  - https://df00tech.com/detections/T1546.005
author: df00tech
date: 2026/04/20
tags:
  - attack.t1546.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Shell scripts that use trap for legitimate cleanup operations (removing temp files on exit, resetting terminal settings on SIGINT)"
  - Database backup scripts that use trap EXIT to ensure connection cleanup and lock release on unexpected termination
  - CI/CD pipeline scripts that use trap ERR for error handling and rollback operations
  - System administration scripts that use trap SIGTERM/SIGHUP for graceful shutdown of services or daemons
level: medium