Hare Sudhan
249 lines
7.3 KiB
YAML
249 lines
7.3 KiB
YAML
attack_technique: T1070.003
|
|
display_name: 'Indicator Removal on Host: Clear Command History'
|
|
atomic_tests:
|
|
- name: Clear Bash history (rm)
|
|
auto_generated_guid: a934276e-2be5-4a36-93fd-98adbb5bd4fc
|
|
description: |
|
|
Clears bash history via rm
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
executor:
|
|
command: |
|
|
rm ~/.bash_history
|
|
name: sh
|
|
- name: Clear sh history (rm)
|
|
auto_generated_guid: 448893f8-1d5d-4ae2-9017-7fcd73a7e100
|
|
description: |
|
|
Clears sh history via rm
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
rm ~/.sh_history
|
|
name: sh
|
|
|
|
- name: Clear Bash history (echo)
|
|
auto_generated_guid: cbf506a5-dd78-43e5-be7e-a46b7c7a0a11
|
|
description: |
|
|
Clears bash history via echo
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
echo "" > ~/.bash_history
|
|
name: sh
|
|
- name: Clear sh history (echo)
|
|
auto_generated_guid: a4d63cb3-9ed9-4837-9480-5bf6b09a6c96
|
|
description: |
|
|
Clears sh history via echo
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
echo "" > ~/.sh_history
|
|
name: sh
|
|
- name: Clear Bash history (cat dev/null)
|
|
auto_generated_guid: b1251c35-dcd3-4ea1-86da-36d27b54f31f
|
|
description: |
|
|
Clears bash history via cat /dev/null
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
executor:
|
|
command: |
|
|
cat /dev/null > ~/.bash_history
|
|
name: sh
|
|
- name: Clear sh history (cat dev/null)
|
|
auto_generated_guid: ecaefd53-6fa4-4781-ba51-d9d6fb94dbdc
|
|
description: |
|
|
Clears sh history via cat /dev/null
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
cat /dev/null > ~/.sh_history
|
|
name: sh
|
|
|
|
- name: Clear Bash history (ln dev/null)
|
|
auto_generated_guid: 23d348f3-cc5c-4ba9-bd0a-ae09069f0914
|
|
description: |
|
|
Clears bash history via a symlink to /dev/null
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
executor:
|
|
command: |
|
|
ln -sf /dev/null ~/.bash_history
|
|
name: sh
|
|
- name: Clear sh history (ln dev/null)
|
|
auto_generated_guid: 3126aa7a-8768-456f-ae05-6ab2d4accfdd
|
|
description: |
|
|
Clears sh history via a symlink to /dev/null
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
ln -sf /dev/null ~/.sh_history
|
|
name: sh
|
|
- name: Clear Bash history (truncate)
|
|
auto_generated_guid: 47966a1d-df4f-4078-af65-db6d9aa20739
|
|
description: |
|
|
Clears bash history via truncate
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
truncate -s0 ~/.bash_history
|
|
name: sh
|
|
- name: Clear sh history (truncate)
|
|
auto_generated_guid: e14d9bb0-c853-4503-aa89-739d5c0a5818
|
|
description: |
|
|
Clears sh history via truncate
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
truncate -s0 ~/.sh_history
|
|
name: sh
|
|
- name: Clear history of a bunch of shells
|
|
auto_generated_guid: 7e6721df-5f08-4370-9255-f06d8a77af4c
|
|
description: |
|
|
Clears the history of a bunch of different shell types by setting the history size to zero
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
executor:
|
|
command: |
|
|
unset HISTFILE
|
|
export HISTFILESIZE=0
|
|
history -c
|
|
name: sh
|
|
- name: Clear history of a bunch of shells (freebsd)
|
|
auto_generated_guid: 9bf7c8af-5e12-42ea-bf6b-b0348fb9dfb0
|
|
description: |
|
|
Clears the history of a bunch of different shell types by setting the history size to zero
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
unset HISTFILE
|
|
unset histfile
|
|
export HISTFILESIZE=0
|
|
export HISTSIZE=0
|
|
history -c
|
|
name: sh
|
|
|
|
- name: Clear and Disable Bash History Logging
|
|
auto_generated_guid: 784e4011-bd1a-4ecd-a63a-8feb278512e6
|
|
description: |
|
|
Clears the history and disable bash history logging of the current shell and future shell sessions
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
executor:
|
|
command: |
|
|
set +o history
|
|
echo 'set +o history' >> ~/.bashrc
|
|
. ~/.bashrc
|
|
history -c
|
|
cleanup_command: |
|
|
sed -i 's/set +o history//g' ~/.bashrc
|
|
. ~/.bashrc
|
|
set -o history
|
|
name: sh
|
|
- name: Use Space Before Command to Avoid Logging to History
|
|
auto_generated_guid: 53b03a54-4529-4992-852d-a00b4b7215a6
|
|
description: |
|
|
Using a space before a command causes the command to not be logged in the Bash History file
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
executor:
|
|
command: |
|
|
hostname
|
|
whoami
|
|
name: sh
|
|
|
|
- name: Disable Bash History Logging with SSH -T
|
|
auto_generated_guid: 5f8abd62-f615-43c5-b6be-f780f25790a1
|
|
description: |
|
|
Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog
|
|
supported_platforms:
|
|
- linux
|
|
dependencies:
|
|
- description: |
|
|
Install sshpass and create user account used for excuting
|
|
prereq_command: |
|
|
$(getent passwd testuser1 >/dev/null) && $(which sshpass >/dev/null)
|
|
get_prereq_command: |
|
|
/usr/sbin/useradd testuser1
|
|
echo -e 'pwd101!\npwd101!' | passwd testuser1
|
|
(which yum && yum -y install epel-release sshpass)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y sshpass)
|
|
executor:
|
|
command: |
|
|
sshpass -p 'pwd101!' ssh testuser1@localhost -T hostname
|
|
cleanup_command: |
|
|
userdel -f testuser1
|
|
name: sh
|
|
|
|
- name: Disable sh History Logging with SSH -T (freebsd)
|
|
auto_generated_guid: ec3f2306-dd19-4c4b-bed7-92d20e9b1dee
|
|
description: |
|
|
Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog
|
|
supported_platforms:
|
|
- linux
|
|
dependencies:
|
|
- description: |
|
|
Install sshpass and create user account used for excuting
|
|
prereq_command: |
|
|
$(getent passwd testuser1 >/dev/null) && $(which sshpass >/dev/null)
|
|
get_prereq_command: |
|
|
pw useradd testuser1 -g wheel -s /bin/sh
|
|
echo 'pwd101!' | pw mod user testuser1 -h 0
|
|
(which pkg && pkg install -y sshpass)
|
|
executor:
|
|
command: |
|
|
sshpass -p 'pwd101!' ssh testuser1@localhost -T hostname
|
|
cleanup_command: |
|
|
rmuser -y testuser1
|
|
name: sh
|
|
|
|
- name: Prevent Powershell History Logging
|
|
auto_generated_guid: 2f898b81-3e97-4abb-bc3f-a95138988370
|
|
description: |
|
|
Prevents Powershell history
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
Set-PSReadlineOption -HistorySaveStyle SaveNothing
|
|
name: powershell
|
|
cleanup_command: 'Set-PSReadLineOption -HistorySaveStyle SaveIncrementally'
|
|
|
|
- name: Clear Powershell History by Deleting History File
|
|
auto_generated_guid: da75ae8d-26d6-4483-b0fe-700e4df4f037
|
|
description: |
|
|
Clears Powershell history
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
Remove-Item (Get-PSReadlineOption).HistorySavePath
|
|
name: powershell
|
|
|
|
- name: Set Custom AddToHistoryHandler to Avoid History File Logging
|
|
auto_generated_guid: 1d0d9aa6-6111-4f89-927b-53e8afae7f94
|
|
description: |
|
|
The "AddToHistoryHandler" receives the current command as the $line variable and then returns $true if
|
|
the line should be written to the history file. Here we simply return $false so nothing gets added to
|
|
the history file for the current session.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
Set-PSReadLineOption -AddToHistoryHandler { return $false }
|
|
cleanup_command: |
|
|
Set-PSReadLineOption -AddToHistoryHandler $null
|
|
name: powershell
|