diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 933b474f..f4ee7fd6 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -220,6 +220,7 @@ defense-evasion,T1070.003,Clear Command History,4,Clear Bash history (ln dev/nul
defense-evasion,T1070.003,Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
defense-evasion,T1070.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
defense-evasion,T1070.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
+defense-evasion,T1070.003,Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1070.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
defense-evasion,T1070.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index a59e81cd..c76fc0ed 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -42,6 +42,7 @@ defense-evasion,T1070.003,Clear Command History,4,Clear Bash history (ln dev/nul
defense-evasion,T1070.003,Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
defense-evasion,T1070.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
defense-evasion,T1070.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
+defense-evasion,T1070.003,Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1070.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
defense-evasion,T1070.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv
index dc72df6e..59867b27 100644
--- a/atomics/Indexes/Indexes-CSV/macos-index.csv
+++ b/atomics/Indexes/Indexes-CSV/macos-index.csv
@@ -47,6 +47,7 @@ defense-evasion,T1070.003,Clear Command History,3,Clear Bash history (cat dev/nu
defense-evasion,T1070.003,Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
defense-evasion,T1070.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
defense-evasion,T1070.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
+defense-evasion,T1070.003,Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1562.001,Disable or Modify Tools,5,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
defense-evasion,T1562.001,Disable or Modify Tools,6,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index ed057091..e4fcfdc9 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -468,6 +468,7 @@
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
+ - Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
- [T1070.002 Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
- Atomic Test #1: rm -rf [macos, linux]
- Atomic Test #2: Overwrite Linux Mail Spool [linux]
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index cdbafddc..bf6ad26b 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -152,6 +152,7 @@
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
+ - Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
- [T1070.002 Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
- Atomic Test #1: rm -rf [macos, linux]
- Atomic Test #2: Overwrite Linux Mail Spool [linux]
diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md
index a8df89af..075382f1 100644
--- a/atomics/Indexes/Indexes-Markdown/macos-index.md
+++ b/atomics/Indexes/Indexes-Markdown/macos-index.md
@@ -123,6 +123,7 @@
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
+ - Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
- [T1070.002 Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
- Atomic Test #1: rm -rf [macos, linux]
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 45d93ed7..c39ee755 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -21575,6 +21575,20 @@ defense-evasion:
. ~/.bashrc
history -c
name: sh
+ - name: Use Space Before Command to Avoid Logging to History
+ auto_generated_guid: 53b03a54-4529-4992-852d-a00b4b7215a6
+ description: 'Using a space before a command causes the command to not be logged
+ in the Bash History file
+
+'
+ supported_platforms:
+ - linux
+ - macos
+ executor:
+ command: |
+ hostname
+ whoami
+ name: sh
T1070.002:
technique:
external_references:
diff --git a/atomics/T1070.003/T1070.003.md b/atomics/T1070.003/T1070.003.md
index 46641601..50788c59 100644
--- a/atomics/T1070.003/T1070.003.md
+++ b/atomics/T1070.003/T1070.003.md
@@ -22,6 +22,8 @@ Adversaries can use a variety of methods to prevent their own commands from appe
- [Atomic Test #7 - Clear and Disable Bash History Logging](#atomic-test-7---clear-and-disable-bash-history-logging)
+- [Atomic Test #8 - Use Space Before Command to Avoid Logging to History](#atomic-test-8---use-space-before-command-to-avoid-logging-to-history)
+
@@ -195,4 +197,29 @@ history -c
+
+
+
+## Atomic Test #8 - Use Space Before Command to Avoid Logging to History
+Using a space before a command causes the command to not be logged in the Bash History file
+
+**Supported Platforms:** Linux, macOS
+
+
+
+
+
+#### Attack Commands: Run with `sh`!
+
+
+```sh
+hostname
+whoami
+```
+
+
+
+
+
+
diff --git a/atomics/T1070.003/T1070.003.yaml b/atomics/T1070.003/T1070.003.yaml
index 773bbfc0..ba7a7c8c 100644
--- a/atomics/T1070.003/T1070.003.yaml
+++ b/atomics/T1070.003/T1070.003.yaml
@@ -83,6 +83,7 @@ atomic_tests:
history -c
name: sh
- name: Use Space Before Command to Avoid Logging to History
+ auto_generated_guid: 53b03a54-4529-4992-852d-a00b4b7215a6
description: |
Using a space before a command causes the command to not be logged in the Bash History file
supported_platforms:
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 19ac94a4..3f2f552e 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -557,3 +557,4 @@ fda74566-a604-4581-a4cc-fbbe21d66559
9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421
103d6533-fd2a-4d08-976a-4a598565280f
+53b03a54-4529-4992-852d-a00b4b7215a6