Merge branch 'master' into josehelps-patch-2

2023-04-13 10:57:20 -04:00
parent fdcca49a52 46955a8ea7
commit 3e72b1b2ac
11 changed files with 582 additions and 2 deletions
@@ -305,6 +305,11 @@ defense-evasion,T1564.002,Hide Artifacts: Hidden Users,2,Create Hidden User usin
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,4,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,5,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,6,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,7,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
@@ -69,6 +69,11 @@ defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,1,Auditing Configu
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,4,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,5,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,6,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,7,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
@@ -430,6 +430,11 @@
 - [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
  - Atomic Test #1: Disable history collection [linux, macos]
  - Atomic Test #2: Mac HISTCONTROL [macos, linux]
+  - Atomic Test #3: Clear bash history [linux]
+  - Atomic Test #4: Setting the HISTCONTROL environment variable [linux]
+  - Atomic Test #5: Setting the HISTFILESIZE environment variable [linux]
+  - Atomic Test #6: Setting the HISTFILE environment variable [linux]
+  - Atomic Test #7: Setting the HISTIGNORE environment variable [linux]
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1134.004 Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md)
  - Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
@@ -117,6 +117,11 @@
 - [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
  - Atomic Test #1: Disable history collection [linux, macos]
  - Atomic Test #2: Mac HISTCONTROL [macos, linux]
+  - Atomic Test #3: Clear bash history [linux]
+  - Atomic Test #4: Setting the HISTCONTROL environment variable [linux]
+  - Atomic Test #5: Setting the HISTFILESIZE environment variable [linux]
+  - Atomic Test #6: Setting the HISTFILE environment variable [linux]
+  - Atomic Test #7: Setting the HISTIGNORE environment variable [linux]
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
@@ -16605,6 +16605,115 @@ defense-evasion:
          3. ls
          4. whoami > recon.txt
        name: manual
+    - name: Clear bash history
+      auto_generated_guid: 878794f7-c511-4199-a950-8c28b3ed8e5b
+      description: "An attacker may clear the bash history cache and the history file
+        as their last act before logging off to remove the record of their command
+        line activities. \n\nIn this test we use the $HISTFILE variable throughout
+        to 1. confirms the $HISTFILE variable is set 2. echo \"\" into it 3..5 confirm
+        the file is empty 6 clear the history cache 7. confirm the history cache is
+        empty. This is when the attacker would logoff.\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "cp $HISTFILE $HISTFILE.OLD\nif ((${#HISTFILE[@]})); then echo $HISTFILE;
+          fi\necho \"\" > $HISTFILE\nif [ $(wc -c <$HISTFILE) -gt 1 ]; then echo \"$HISTFILE
+          is larger than 1k\"; fi\nls -la $HISTFILE \ncat $HISTFILE\nhistory -c \nif
+          [ $(history |wc -l) -eq 1 ]; then echo \"History cache cleared\"; fi\n"
+        cleanup_command: "mv -f $HISTFILE.OLD $HISTFILE \n"
+    - name: Setting the HISTCONTROL environment variable
+      auto_generated_guid: 10ab786a-028e-4465-96f6-9e83ca6c5f24
+      description: "An attacker may exploit the space before a command (e.g. \" ls\")
+        or the duplicate command suppression feature in Bash history to prevent their
+        commands from being recorded in the history file or to obscure the order of
+        commands used. \n\nIn this test we 1. sets $HISTCONTROL to ignoreboth 2. clears
+        the history cache 3. executes ls -la with a space in-front of it 4. confirms
+        that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups
+        6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms
+        that their is only one command in history\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "TEST=$(echo $HISTCONTROL)\nif [ \"$HISTCONTROL\" != \"ignoreboth\"
+          ]; then export HISTCONTROL=\"ignoreboth\"; fi\nhistory -c \nls -la $HISTFILE
+          # \" ls -la $HISTFILE\"\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls
+          -la is not in history cache\"; fi\n# -> ls -la is not in history cache\nif
+          [ \"$HISTCONTROL\" != \"erasedups\" ]; then export HISTCONTROL=\"erasedups\";
+          fi\nhistory -c \nls -la $HISTFILE\nls -la $HISTFILE\nls -la $HISTFILE\nif
+          [ $(history |wc -l) -eq 2 ]; then echo \"Their is only one entry for ls
+          -la $HISTFILE\"; fi\n"
+        cleanup_command: 'export HISTCONTROL=$(echo $TEST)
+
+          '
+    - name: Setting the HISTFILESIZE environment variable
+      auto_generated_guid: 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
+      description: |
+        An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
+
+        Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          TEST=$(echo $HISTFILESIZE)
+          echo $HISTFILESIZE
+          export HISTFILESIZE=0
+          if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; fi
+          # -> $HISTFILESIZE is zero
+        cleanup_command: 'export HISTCONTROL=$(echo $TEST)
+
+          '
+    - name: Setting the HISTFILE environment variable
+      auto_generated_guid: b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
+      description: |
+        An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
+
+        Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          TEST=$(echo $HISTFILE)
+          echo $HISTFILE
+          export HISTFILE="/dev/null"
+          if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
+          # -> $HISTFILE is /dev/null
+        cleanup_command: 'export HISTFILE=$(echo $TEST)
+
+          '
+    - name: Setting the HISTIGNORE environment variable
+      auto_generated_guid: f12acddb-7502-4ce6-a146-5b62c59592f1
+      description: "An Adversary may take advantage of the HISTIGNORE environment
+        variable either to ignore particular commands or all commands. \n\nIn this
+        test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this
+        history cache 3..4 execute ls commands 5. confirm that the ls commands are
+        not in the history cache 6. unset HISTIGNORE variable 7.. same again, but
+        ignoring ALL commands.\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "if ((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\";
+          else export HISTIGNORE='ls*:rm*:ssh*'; echo \"\\$HISTIGNORE = $HISTIGNORE\";
+          fi\n# -> $HISTIGNORE = ls*:rm*:ssh*\nhistory -c \nls -la $HISTFILE\nls -la
+          ~/.bash_logout\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls commands
+          are not in history\"; fi\n# -> ls commands are not in history\nunset HISTIGNORE\n\nif
+          ((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\"; else export
+          HISTIGNORE='*'; echo \"\\$HISTIGNORE = $HISTIGNORE\"; fi\n# -> $HISTIGNORE
+          = *\nhistory -c \nwhoami\ngroups\nif [ $(history |wc -l) -eq 0 ]; then echo
+          \"History cache is empty\"; fi\n# -> History cache is empty\n"
+        cleanup_command: 'unset HISTIGNORE
+
+          '
  T1497.002:
    technique:
      x_mitre_platforms:
@@ -10438,6 +10438,115 @@ defense-evasion:
          3. ls
          4. whoami > recon.txt
        name: manual
+    - name: Clear bash history
+      auto_generated_guid: 878794f7-c511-4199-a950-8c28b3ed8e5b
+      description: "An attacker may clear the bash history cache and the history file
+        as their last act before logging off to remove the record of their command
+        line activities. \n\nIn this test we use the $HISTFILE variable throughout
+        to 1. confirms the $HISTFILE variable is set 2. echo \"\" into it 3..5 confirm
+        the file is empty 6 clear the history cache 7. confirm the history cache is
+        empty. This is when the attacker would logoff.\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "cp $HISTFILE $HISTFILE.OLD\nif ((${#HISTFILE[@]})); then echo $HISTFILE;
+          fi\necho \"\" > $HISTFILE\nif [ $(wc -c <$HISTFILE) -gt 1 ]; then echo \"$HISTFILE
+          is larger than 1k\"; fi\nls -la $HISTFILE \ncat $HISTFILE\nhistory -c \nif
+          [ $(history |wc -l) -eq 1 ]; then echo \"History cache cleared\"; fi\n"
+        cleanup_command: "mv -f $HISTFILE.OLD $HISTFILE \n"
+    - name: Setting the HISTCONTROL environment variable
+      auto_generated_guid: 10ab786a-028e-4465-96f6-9e83ca6c5f24
+      description: "An attacker may exploit the space before a command (e.g. \" ls\")
+        or the duplicate command suppression feature in Bash history to prevent their
+        commands from being recorded in the history file or to obscure the order of
+        commands used. \n\nIn this test we 1. sets $HISTCONTROL to ignoreboth 2. clears
+        the history cache 3. executes ls -la with a space in-front of it 4. confirms
+        that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups
+        6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms
+        that their is only one command in history\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "TEST=$(echo $HISTCONTROL)\nif [ \"$HISTCONTROL\" != \"ignoreboth\"
+          ]; then export HISTCONTROL=\"ignoreboth\"; fi\nhistory -c \nls -la $HISTFILE
+          # \" ls -la $HISTFILE\"\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls
+          -la is not in history cache\"; fi\n# -> ls -la is not in history cache\nif
+          [ \"$HISTCONTROL\" != \"erasedups\" ]; then export HISTCONTROL=\"erasedups\";
+          fi\nhistory -c \nls -la $HISTFILE\nls -la $HISTFILE\nls -la $HISTFILE\nif
+          [ $(history |wc -l) -eq 2 ]; then echo \"Their is only one entry for ls
+          -la $HISTFILE\"; fi\n"
+        cleanup_command: 'export HISTCONTROL=$(echo $TEST)
+
+          '
+    - name: Setting the HISTFILESIZE environment variable
+      auto_generated_guid: 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
+      description: |
+        An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
+
+        Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          TEST=$(echo $HISTFILESIZE)
+          echo $HISTFILESIZE
+          export HISTFILESIZE=0
+          if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; fi
+          # -> $HISTFILESIZE is zero
+        cleanup_command: 'export HISTCONTROL=$(echo $TEST)
+
+          '
+    - name: Setting the HISTFILE environment variable
+      auto_generated_guid: b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
+      description: |
+        An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
+
+        Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          TEST=$(echo $HISTFILE)
+          echo $HISTFILE
+          export HISTFILE="/dev/null"
+          if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
+          # -> $HISTFILE is /dev/null
+        cleanup_command: 'export HISTFILE=$(echo $TEST)
+
+          '
+    - name: Setting the HISTIGNORE environment variable
+      auto_generated_guid: f12acddb-7502-4ce6-a146-5b62c59592f1
+      description: "An Adversary may take advantage of the HISTIGNORE environment
+        variable either to ignore particular commands or all commands. \n\nIn this
+        test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this
+        history cache 3..4 execute ls commands 5. confirm that the ls commands are
+        not in the history cache 6. unset HISTIGNORE variable 7.. same again, but
+        ignoring ALL commands.\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "if ((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\";
+          else export HISTIGNORE='ls*:rm*:ssh*'; echo \"\\$HISTIGNORE = $HISTIGNORE\";
+          fi\n# -> $HISTIGNORE = ls*:rm*:ssh*\nhistory -c \nls -la $HISTFILE\nls -la
+          ~/.bash_logout\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls commands
+          are not in history\"; fi\n# -> ls commands are not in history\nunset HISTIGNORE\n\nif
+          ((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\"; else export
+          HISTIGNORE='*'; echo \"\\$HISTIGNORE = $HISTIGNORE\"; fi\n# -> $HISTIGNORE
+          = *\nhistory -c \nwhoami\ngroups\nif [ $(history |wc -l) -eq 0 ]; then echo
+          \"History cache is empty\"; fi\n# -> History cache is empty\n"
+        cleanup_command: 'unset HISTIGNORE
+
+          '
  T1497.002:
    technique:
      x_mitre_platforms:
@@ -16,6 +16,16 @@ Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/te

 - [Atomic Test #2 - Mac HISTCONTROL](#atomic-test-2---mac-histcontrol)

+- [Atomic Test #3 - Clear bash history](#atomic-test-3---clear-bash-history)
+
+- [Atomic Test #4 - Setting the HISTCONTROL environment variable](#atomic-test-4---setting-the-histcontrol-environment-variable)
+
+- [Atomic Test #5 - Setting the HISTFILESIZE environment variable](#atomic-test-5---setting-the-histfilesize-environment-variable)
+
+- [Atomic Test #6 - Setting the HISTFILE environment variable](#atomic-test-6---setting-the-histfile-environment-variable)
+
+- [Atomic Test #7 - Setting the HISTIGNORE environment variable](#atomic-test-7---setting-the-histignore-environment-variable)
+

 <br/>

@@ -80,4 +90,215 @@ https://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcon



+<br/>
+<br/>
+
+## Atomic Test #3 - Clear bash history
+An attacker may clear the bash history cache and the history file as their last act before logging off to remove the record of their command line activities. 
+
+In this test we use the $HISTFILE variable throughout to 1. confirms the $HISTFILE variable is set 2. echo "" into it 3..5 confirm the file is empty 6 clear the history cache 7. confirm the history cache is empty. This is when the attacker would logoff.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 878794f7-c511-4199-a950-8c28b3ed8e5b
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+cp $HISTFILE $HISTFILE.OLD
+if ((${#HISTFILE[@]})); then echo $HISTFILE; fi
+echo "" > $HISTFILE
+if [ $(wc -c <$HISTFILE) -gt 1 ]; then echo "$HISTFILE is larger than 1k"; fi
+ls -la $HISTFILE 
+cat $HISTFILE
+history -c 
+if [ $(history |wc -l) -eq 1 ]; then echo "History cache cleared"; fi
+```
+
+#### Cleanup Commands:
+```bash
+mv -f $HISTFILE.OLD $HISTFILE
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Setting the HISTCONTROL environment variable
+An attacker may exploit the space before a command (e.g. " ls") or the duplicate command suppression feature in Bash history to prevent their commands from being recorded in the history file or to obscure the order of commands used. 
+
+In this test we 1. sets $HISTCONTROL to ignoreboth 2. clears the history cache 3. executes ls -la with a space in-front of it 4. confirms that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups 6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms that their is only one command in history
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 10ab786a-028e-4465-96f6-9e83ca6c5f24
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+TEST=$(echo $HISTCONTROL)
+if [ "$HISTCONTROL" != "ignoreboth" ]; then export HISTCONTROL="ignoreboth"; fi
+history -c 
+ls -la $HISTFILE # " ls -la $HISTFILE"
+if [ $(history |wc -l) -eq 1 ]; then echo "ls -la is not in history cache"; fi
+# -> ls -la is not in history cache
+if [ "$HISTCONTROL" != "erasedups" ]; then export HISTCONTROL="erasedups"; fi
+history -c 
+ls -la $HISTFILE
+ls -la $HISTFILE
+ls -la $HISTFILE
+if [ $(history |wc -l) -eq 2 ]; then echo "Their is only one entry for ls -la $HISTFILE"; fi
+```
+
+#### Cleanup Commands:
+```bash
+export HISTCONTROL=$(echo $TEST)
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Setting the HISTFILESIZE environment variable
+An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
+
+Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+TEST=$(echo $HISTFILESIZE)
+echo $HISTFILESIZE
+export HISTFILESIZE=0
+if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; fi
+# -> $HISTFILESIZE is zero
+```
+
+#### Cleanup Commands:
+```bash
+export HISTCONTROL=$(echo $TEST)
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - Setting the HISTFILE environment variable
+An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
+
+Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+TEST=$(echo $HISTFILE)
+echo $HISTFILE
+export HISTFILE="/dev/null"
+if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
+# -> $HISTFILE is /dev/null
+```
+
+#### Cleanup Commands:
+```bash
+export HISTFILE=$(echo $TEST)
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Setting the HISTIGNORE environment variable
+An Adversary may take advantage of the HISTIGNORE environment variable either to ignore particular commands or all commands. 
+
+In this test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this history cache 3..4 execute ls commands 5. confirm that the ls commands are not in the history cache 6. unset HISTIGNORE variable 7.. same again, but ignoring ALL commands.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** f12acddb-7502-4ce6-a146-5b62c59592f1
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='ls*:rm*:ssh*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
+# -> $HISTIGNORE = ls*:rm*:ssh*
+history -c 
+ls -la $HISTFILE
+ls -la ~/.bash_logout
+if [ $(history |wc -l) -eq 1 ]; then echo "ls commands are not in history"; fi
+# -> ls commands are not in history
+unset HISTIGNORE
+
+if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
+# -> $HISTIGNORE = *
+history -c 
+whoami
+groups
+if [ $(history |wc -l) -eq 0 ]; then echo "History cache is empty"; fi
+# -> History cache is empty
+```
+
+#### Cleanup Commands:
+```bash
+unset HISTIGNORE
+```
+
+
+
+
+
 <br/>
@@ -35,3 +35,119 @@ atomic_tests:
      3. ls
      4. whoami > recon.txt
    name: manual
+- name: Clear bash history
+  auto_generated_guid: 878794f7-c511-4199-a950-8c28b3ed8e5b
+  description: |
+    An attacker may clear the bash history cache and the history file as their last act before logging off to remove the record of their command line activities. 
+
+    In this test we use the $HISTFILE variable throughout to 1. confirms the $HISTFILE variable is set 2. echo "" into it 3..5 confirm the file is empty 6 clear the history cache 7. confirm the history cache is empty. This is when the attacker would logoff.
+  supported_platforms:
+  - linux
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      cp $HISTFILE $HISTFILE.OLD
+      if ((${#HISTFILE[@]})); then echo $HISTFILE; fi
+      echo "" > $HISTFILE
+      if [ $(wc -c <$HISTFILE) -gt 1 ]; then echo "$HISTFILE is larger than 1k"; fi
+      ls -la $HISTFILE 
+      cat $HISTFILE
+      history -c 
+      if [ $(history |wc -l) -eq 1 ]; then echo "History cache cleared"; fi
+    cleanup_command: |
+      mv -f $HISTFILE.OLD $HISTFILE 
+- name: Setting the HISTCONTROL environment variable
+  auto_generated_guid: 10ab786a-028e-4465-96f6-9e83ca6c5f24
+  description: |
+    An attacker may exploit the space before a command (e.g. " ls") or the duplicate command suppression feature in Bash history to prevent their commands from being recorded in the history file or to obscure the order of commands used. 
+
+    In this test we 1. sets $HISTCONTROL to ignoreboth 2. clears the history cache 3. executes ls -la with a space in-front of it 4. confirms that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups 6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms that their is only one command in history
+  supported_platforms:
+  - linux
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      TEST=$(echo $HISTCONTROL)
+      if [ "$HISTCONTROL" != "ignoreboth" ]; then export HISTCONTROL="ignoreboth"; fi
+      history -c 
+      ls -la $HISTFILE # " ls -la $HISTFILE"
+      if [ $(history |wc -l) -eq 1 ]; then echo "ls -la is not in history cache"; fi
+      # -> ls -la is not in history cache
+      if [ "$HISTCONTROL" != "erasedups" ]; then export HISTCONTROL="erasedups"; fi
+      history -c 
+      ls -la $HISTFILE
+      ls -la $HISTFILE
+      ls -la $HISTFILE
+      if [ $(history |wc -l) -eq 2 ]; then echo "Their is only one entry for ls -la $HISTFILE"; fi
+    cleanup_command: |
+      export HISTCONTROL=$(echo $TEST)
+- name: Setting the HISTFILESIZE environment variable
+  auto_generated_guid: 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
+  description: |
+    An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
+
+    Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
+  supported_platforms:
+  - linux
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      TEST=$(echo $HISTFILESIZE)
+      echo $HISTFILESIZE
+      export HISTFILESIZE=0
+      if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; fi
+      # -> $HISTFILESIZE is zero
+    cleanup_command: |
+      export HISTCONTROL=$(echo $TEST)
+- name: Setting the HISTFILE environment variable 
+  auto_generated_guid: b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
+  description: |
+    An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
+
+    Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
+  supported_platforms:
+  - linux
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      TEST=$(echo $HISTFILE)
+      echo $HISTFILE
+      export HISTFILE="/dev/null"
+      if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
+      # -> $HISTFILE is /dev/null
+    cleanup_command: |
+      export HISTFILE=$(echo $TEST)
+- name: Setting the HISTIGNORE environment variable 
+  auto_generated_guid: f12acddb-7502-4ce6-a146-5b62c59592f1
+  description: |
+    An Adversary may take advantage of the HISTIGNORE environment variable either to ignore particular commands or all commands. 
+
+    In this test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this history cache 3..4 execute ls commands 5. confirm that the ls commands are not in the history cache 6. unset HISTIGNORE variable 7.. same again, but ignoring ALL commands.
+  supported_platforms:
+  - linux
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='ls*:rm*:ssh*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
+      # -> $HISTIGNORE = ls*:rm*:ssh*
+      history -c 
+      ls -la $HISTFILE
+      ls -la ~/.bash_logout
+      if [ $(history |wc -l) -eq 1 ]; then echo "ls commands are not in history"; fi
+      # -> ls commands are not in history
+      unset HISTIGNORE
+
+      if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
+      # -> $HISTIGNORE = *
+      history -c 
+      whoami
+      groups
+      if [ $(history |wc -l) -eq 0 ]; then echo "History cache is empty"; fi
+      # -> History cache is empty
+    cleanup_command: |
+      unset HISTIGNORE
@@ -1292,3 +1292,8 @@ fb4151a2-db33-4f8c-b7f8-78ea8790f961
 adae83d3-0df6-45e7-b2c3-575f91584577
 e3ad8e83-3089-49ff-817f-e52f8c948090
 2db30061-589d-409b-b125-7b473944f9b3
+878794f7-c511-4199-a950-8c28b3ed8e5b
+10ab786a-028e-4465-96f6-9e83ca6c5f24
+5cafd6c1-2f43-46eb-ac47-a5301ba0a618
+b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
+f12acddb-7502-4ce6-a146-5b62c59592f1