T1546.005: Trap

Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.

Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where "command list" will be executed when "signals" are received.[1][2]

EnterpriseT1546.005Sub-techniqueObject v1.1 Modified Oct 24, 2025, 17:48 UTC (UTC+00:00)

Trap matters because a small, legitimate shell feature on Linux and macOS can be used to make code run when an interrupt signal occurs. For leaders, the risk is not the command itself; it is whether persistence or privilege-escalation logic can hide inside scripts and shell handling paths that administrators rarely review.

Executive priority

Prioritize this as a Unix-like endpoint resilience and audit-evidence issue. Security leaders should ask whether macOS and Linux script locations, shell configuration, and administrative automation are monitored well enough to explain unexpected persistence. This is especially relevant for incident response readiness: responders need enough script, command-line, and file-change evidence to determine whether a trap statement is benign operational handling or part of adversary-maintained access.

Technical view

ATT&CK defines T1546.005 as a Linux and macOS sub-technique of Event Triggered Execution under persistence and privilege escalation. The official detection field is not provided, but the relationship to DET0369 indicates a detection-strategy object exists for event-triggered execution via Trap. SOC and detection teams should validate visibility into shell invocations, script content changes, and uses of trap statements that execute non-standard command lists when signals are received. IR teams should review suspicious shell scripts and user or administrative automation for trap handlers that launch unexpected commands, binaries, or scripts.

Likely telemetry

Endpoint process telemetry for shell execution on Linux and macOS
Command-line or shell history evidence where available
File creation and modification telemetry for shell scripts and shell-related configuration files
File integrity monitoring or EDR evidence for administrative automation scripts
Audit logs or endpoint events showing script execution context, user, parent process, and timing

Detection direction

Confirm whether DET0369-aligned logic or equivalent analytics are implemented for T1546.005.
Hunt for trap statements in scripts where the command list executes unusual binaries, network utilities, interpreters, or persistence-related paths.
Tune carefully because trap is commonly used for graceful termination and handling keyboard interrupts such as ctrl+c and ctrl+d.
Prioritize changes in privileged, shared, startup, or operational scripts over ordinary developer or administrative cleanup handlers.
Correlate trap usage with recent file modifications, unusual parent processes, unexpected users, and persistence or privilege-escalation investigation context.

Mitigation priorities

Establish baseline review of trusted administrative and operational scripts on Linux and macOS.
Restrict write access to privileged scripts and automation paths to authorized administrators and service accounts.
Use change control and file monitoring for scripts that run with elevated privileges or during operational workflows.
Ensure incident response collection includes relevant shell scripts, configuration files, process context, and file modification history.
Use detections and reviews as audit evidence that event-triggered execution paths are monitored rather than relying only on malware signatures.

Analyst notes and limits

This take is based on ATT&CK T1546.005 Trap, its platforms, tactics, description, external references, and relationships. The key relationship is that Trap is a sub-technique of Event Triggered Execution and has an associated detection strategy, DET0369. The previous T1154 object is revoked by this object, so teams should map legacy references to T1546.005.

MITRE does not provide official detection text for this object in the supplied fields. Specific file paths, signal names beyond the examples, malicious command patterns, and environment-specific prevalence require local telemetry and validation. No active exploitation, attribution, impact, or guaranteed detection coverage is asserted.

Official MITRE ATT&CK definition

Trap

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 2 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1546	Event Triggered Execution	This object subtechnique of Event Triggered Execution.
Enterprise	T1154	Trap	Trap revoked by this object.

Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0369: Detection Strategy for Event Triggered Execution via Trap (T1546.005) Enterprise subtechnique of · Technique T1546: Event Triggered Execution Enterprise revoked by · Technique T1154: Trap Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Jan 24, 2020, 14:17 UTC (UTC+00:00)
Modified: Oct 24, 2025, 17:48 UTC (UTC+00:00)
Raw hash: 3f5abfd2f6126734...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	Oct 24, 2025, 17:48 UTC (UTC+00:00)	Current bundle	`3f5abfd2f612…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Trap Manual

ss64. (n.d.). trap. Retrieved May 21, 2019.
Open source URL
[2]
Cyberciti Trap Statements

Cyberciti. (2016, March 29). Trap statement. Retrieved May 21, 2019.
Open source URL
[3]
mitre-attack T1546.005
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use