Hare Sudhan
207 lines
8.8 KiB
YAML
207 lines
8.8 KiB
YAML
attack_technique: T1562.003
|
|
display_name: 'Impair Defenses: HISTCONTROL'
|
|
atomic_tests:
|
|
- name: Disable history collection
|
|
auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5
|
|
description: |
|
|
Disables history collection in shells
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
input_arguments:
|
|
evil_command:
|
|
description: Command to run after shell history collection is disabled
|
|
type: string
|
|
default: whoami
|
|
executor:
|
|
command: |
|
|
export HISTCONTROL=ignoreboth
|
|
#{evil_command}
|
|
name: sh
|
|
- name: Disable history collection (freebsd)
|
|
auto_generated_guid: cada55b4-8251-4c60-819e-8ec1b33c9306
|
|
description: |
|
|
Disables history collection in shells
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
evil_command:
|
|
description: Command to run after shell history collection is disabled
|
|
type: string
|
|
default: whoami
|
|
executor:
|
|
command: |
|
|
export HISTSIZE=0
|
|
#{evil_command}
|
|
name: sh
|
|
- name: Mac HISTCONTROL
|
|
auto_generated_guid: 468566d5-83e5-40c1-b338-511e1659628d
|
|
description: |
|
|
The HISTCONTROL variable is set to ignore (not write to the history file) command that are a duplicate of something already in the history
|
|
and commands that start with a space. This atomic sets this variable in the current session and also writes it to the current user's ~/.bash_profile
|
|
so that it will apply to all future settings as well.
|
|
https://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcontrol
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
executor:
|
|
steps: |
|
|
1. export HISTCONTROL=ignoreboth
|
|
2. echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile
|
|
3. ls
|
|
4. whoami > recon.txt
|
|
name: manual
|
|
- name: Clear bash history
|
|
auto_generated_guid: 878794f7-c511-4199-a950-8c28b3ed8e5b
|
|
description: |
|
|
An attacker may clear the bash history cache and the history file as their last act before logging off to remove the record of their command line activities.
|
|
|
|
In this test we use the $HISTFILE variable throughout to 1. confirms the $HISTFILE variable is set 2. echo "" into it 3..5 confirm the file is empty 6 clear the history cache 7. confirm the history cache is empty. This is when the attacker would logoff.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: bash
|
|
elevation_required: false
|
|
command: |
|
|
cp $HISTFILE $HISTFILE.OLD
|
|
if ((${#HISTFILE[@]})); then echo $HISTFILE; fi
|
|
echo "" > $HISTFILE
|
|
if [ $(wc -c <$HISTFILE) -gt 1 ]; then echo "$HISTFILE is larger than 1k"; fi
|
|
ls -la $HISTFILE
|
|
cat $HISTFILE
|
|
history -c
|
|
if [ $(history |wc -l) -eq 1 ]; then echo "History cache cleared"; fi
|
|
cleanup_command: |
|
|
mv -f $HISTFILE.OLD $HISTFILE
|
|
- name: Setting the HISTCONTROL environment variable
|
|
auto_generated_guid: 10ab786a-028e-4465-96f6-9e83ca6c5f24
|
|
description: |
|
|
An attacker may exploit the space before a command (e.g. " ls") or the duplicate command suppression feature in Bash history to prevent their commands from being recorded in the history file or to obscure the order of commands used.
|
|
|
|
In this test we 1. sets $HISTCONTROL to ignoreboth 2. clears the history cache 3. executes ls -la with a space in-front of it 4. confirms that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups 6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms that their is only one command in history
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: bash
|
|
elevation_required: false
|
|
command: |
|
|
TEST=$(echo $HISTCONTROL)
|
|
if [ "$HISTCONTROL" != "ignoreboth" ]; then export HISTCONTROL="ignoreboth"; fi
|
|
history -c
|
|
ls -la $HISTFILE # " ls -la $HISTFILE"
|
|
if [ $(history |wc -l) -eq 1 ]; then echo "ls -la is not in history cache"; fi
|
|
# -> ls -la is not in history cache
|
|
if [ "$HISTCONTROL" != "erasedups" ]; then export HISTCONTROL="erasedups"; fi
|
|
history -c
|
|
ls -la $HISTFILE
|
|
ls -la $HISTFILE
|
|
ls -la $HISTFILE
|
|
if [ $(history |wc -l) -eq 2 ]; then echo "Their is only one entry for ls -la $HISTFILE"; fi
|
|
cleanup_command: |
|
|
export HISTCONTROL=$(echo $TEST)
|
|
- name: Setting the HISTFILESIZE environment variable
|
|
auto_generated_guid: 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
|
|
description: |
|
|
An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
|
|
|
|
Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: bash
|
|
elevation_required: false
|
|
command: |
|
|
TEST=$(echo $HISTFILESIZE)
|
|
echo $HISTFILESIZE
|
|
export HISTFILESIZE=0
|
|
if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; fi
|
|
# -> $HISTFILESIZE is zero
|
|
cleanup_command: |
|
|
export HISTCONTROL=$(echo $TEST)
|
|
- name: Setting the HISTSIZE environment variable
|
|
auto_generated_guid: 386d3850-2ce7-4508-b56b-c0558922c814
|
|
description: |
|
|
An Adversary may set the sh history files size environment variable (HISTSIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
|
|
|
|
Note: we don't wish to log out, so we are just confirming the value of HISTSIZE. In this test we 1. echo HISTSIZE 2. set it to zero 3. confirm that HISTSIZE is set to zero.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: sh
|
|
elevation_required: false
|
|
command: |
|
|
echo $HISTSIZE
|
|
export HISTSIZE=0
|
|
if [ $(echo $HISTSIZE) -eq 0 ]; then echo "\$HISTSIZE is zero"; fi
|
|
# -> $HISTSIZE is zero
|
|
cleanup_command: |
|
|
export HISTSIZE=100
|
|
|
|
- name: Setting the HISTFILE environment variable
|
|
auto_generated_guid: b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
|
|
description: |
|
|
An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
|
|
|
|
Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: bash
|
|
elevation_required: false
|
|
command: |
|
|
TEST=$(echo $HISTFILE)
|
|
echo $HISTFILE
|
|
export HISTFILE="/dev/null"
|
|
if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
|
|
# -> $HISTFILE is /dev/null
|
|
cleanup_command: |
|
|
export HISTFILE=$(echo $TEST)
|
|
- name: Setting the HISTFILE environment variable (freebsd)
|
|
auto_generated_guid: f7308845-6da8-468e-99f2-4271f2f5bb67
|
|
description: |
|
|
An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
|
|
|
|
Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: sh
|
|
elevation_required: false
|
|
command: |
|
|
echo $HISTFILE
|
|
export HISTFILE="/dev/null"
|
|
if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
|
|
# -> $HISTFILE is /dev/null
|
|
cleanup_command: |
|
|
export HISTFILE=~/.sh_history
|
|
- name: Setting the HISTIGNORE environment variable
|
|
auto_generated_guid: f12acddb-7502-4ce6-a146-5b62c59592f1
|
|
description: |
|
|
An Adversary may take advantage of the HISTIGNORE environment variable either to ignore particular commands or all commands.
|
|
|
|
In this test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this history cache 3..4 execute ls commands 5. confirm that the ls commands are not in the history cache 6. unset HISTIGNORE variable 7.. same again, but ignoring ALL commands.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: bash
|
|
elevation_required: false
|
|
command: |
|
|
if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='ls*:rm*:ssh*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
|
|
# -> $HISTIGNORE = ls*:rm*:ssh*
|
|
history -c
|
|
ls -la $HISTFILE
|
|
ls -la ~/.bash_logout
|
|
if [ $(history |wc -l) -eq 1 ]; then echo "ls commands are not in history"; fi
|
|
# -> ls commands are not in history
|
|
unset HISTIGNORE
|
|
|
|
if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
|
|
# -> $HISTIGNORE = *
|
|
history -c
|
|
whoami
|
|
groups
|
|
if [ $(history |wc -l) -eq 0 ]; then echo "History cache is empty"; fi
|
|
# -> History cache is empty
|
|
cleanup_command: |
|
|
unset HISTIGNORE
|