Trap Signals Execution

 1[metadata]
 2creation_date = "2023/08/24"
 3integration = ["endpoint", "auditd_manager"]
 4maturity = "production"
 5updated_date = "2025/12/24"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identify activity related where adversaries can include a trap command which then allows programs and shells to specify
11commands that will be executed upon receiving interrupt signals.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Trap Signals Execution"
18risk_score = 21
19rule_id = "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e"
20severity = "low"
21tags = [
22    "Domain: Endpoint",
23    "OS: Linux",
24    "OS: macOS",
25    "Use Case: Threat Detection",
26    "Tactic: Privilege Escalation",
27    "Data Source: Elastic Defend",
28    "Data Source: Elastic Endgame",
29    "Data Source: Auditd Manager",
30]
31timestamp_override = "event.ingested"
32type = "eql"
33query = '''
34process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and
35process.name == "trap" and process.args : "SIG*"
36'''
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40
41[[rule.threat.technique]]
42id = "T1546"
43name = "Event Triggered Execution"
44reference = "https://attack.mitre.org/techniques/T1546/"
45
46[[rule.threat.technique.subtechnique]]
47id = "T1546.005"
48name = "Trap"
49reference = "https://attack.mitre.org/techniques/T1546/005/"
50
51[rule.threat.tactic]
52id = "TA0004"
53name = "Privilege Escalation"
54reference = "https://attack.mitre.org/tactics/TA0004/"