Atomic Red Team doc generator
209 lines
6.7 KiB
YAML
209 lines
6.7 KiB
YAML
attack_technique: T1070.003
|
|
display_name: 'Indicator Removal on Host: Clear Command History'
|
|
atomic_tests:
|
|
- name: Clear Bash history (rm)
|
|
auto_generated_guid: a934276e-2be5-4a36-93fd-98adbb5bd4fc
|
|
description: |
|
|
Clears bash history via rm
|
|
input_arguments:
|
|
history_path:
|
|
description: Bash history path
|
|
type: path
|
|
default: ~/.bash_history
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
executor:
|
|
command: |
|
|
rm #{history_path}
|
|
name: sh
|
|
- name: Clear Bash history (echo)
|
|
auto_generated_guid: cbf506a5-dd78-43e5-be7e-a46b7c7a0a11
|
|
description: |
|
|
Clears bash history via echo
|
|
input_arguments:
|
|
history_path:
|
|
description: Bash history path
|
|
type: path
|
|
default: ~/.bash_history
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
echo "" > #{history_path}
|
|
name: sh
|
|
- name: Clear Bash history (cat dev/null)
|
|
auto_generated_guid: b1251c35-dcd3-4ea1-86da-36d27b54f31f
|
|
description: |
|
|
Clears bash history via cat /dev/null
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
input_arguments:
|
|
history_path:
|
|
description: Bash history path
|
|
type: path
|
|
default: ~/.bash_history
|
|
executor:
|
|
command: |
|
|
cat /dev/null > #{history_path}
|
|
name: sh
|
|
- name: Clear Bash history (ln dev/null)
|
|
auto_generated_guid: 23d348f3-cc5c-4ba9-bd0a-ae09069f0914
|
|
description: |
|
|
Clears bash history via a symlink to /dev/null
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
input_arguments:
|
|
history_path:
|
|
description: Bash history path
|
|
type: path
|
|
default: ~/.bash_history
|
|
executor:
|
|
command: |
|
|
ln -sf /dev/null #{history_path}
|
|
name: sh
|
|
- name: Clear Bash history (truncate)
|
|
auto_generated_guid: 47966a1d-df4f-4078-af65-db6d9aa20739
|
|
description: |
|
|
Clears bash history via truncate
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
history_path:
|
|
description: Bash history path
|
|
type: path
|
|
default: ~/.bash_history
|
|
executor:
|
|
command: |
|
|
truncate -s0 #{history_path}
|
|
name: sh
|
|
- name: Clear history of a bunch of shells
|
|
auto_generated_guid: 7e6721df-5f08-4370-9255-f06d8a77af4c
|
|
description: |
|
|
Clears the history of a bunch of different shell types by setting the history size to zero
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
executor:
|
|
command: |
|
|
unset HISTFILE
|
|
export HISTFILESIZE=0
|
|
history -c
|
|
name: sh
|
|
- name: Clear and Disable Bash History Logging
|
|
auto_generated_guid: 784e4011-bd1a-4ecd-a63a-8feb278512e6
|
|
description: |
|
|
Clears the history and disable bash history logging of the current shell and future shell sessions
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
executor:
|
|
command: |
|
|
set +o history
|
|
echo 'set +o history' >> ~/.bashrc
|
|
. ~/.bashrc
|
|
history -c
|
|
cleanup_command: |
|
|
sed -i 's/set +o history//g' ~/.bashrc
|
|
. ~/.bashrc
|
|
set -o history
|
|
name: bash
|
|
- name: Use Space Before Command to Avoid Logging to History
|
|
auto_generated_guid: 53b03a54-4529-4992-852d-a00b4b7215a6
|
|
description: |
|
|
Using a space before a command causes the command to not be logged in the Bash History file
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
executor:
|
|
command: |
|
|
hostname
|
|
whoami
|
|
name: sh
|
|
|
|
- name: Disable Bash History Logging with SSH -T
|
|
auto_generated_guid: 5f8abd62-f615-43c5-b6be-f780f25790a1
|
|
description: |
|
|
Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog
|
|
supported_platforms:
|
|
- linux
|
|
dependencies:
|
|
- description: |
|
|
Install sshpass and create user account used for excuting
|
|
prereq_command: |
|
|
$(getent passwd testuser1 >/dev/null) && $(which sshpass >/dev/null)
|
|
get_prereq_command: |
|
|
[ "$(uname)" = 'FreeBSD' ] && pw useradd testuser1 -g wheel -s /bin/sh || /usr/sbin/useradd testuser1
|
|
[ "$(uname)" = 'FreeBSD' ] && echo 'pwd101!' | pw mod user testuser1 -h 0 || echo -e 'pwd101!\npwd101!' | passwd testuser1
|
|
(which yum && yum -y install epel-release sshpass)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y sshpass)||(which pkg && pkg install -y sshpass)
|
|
executor:
|
|
command: |
|
|
sshpass -p 'pwd101!' ssh testuser1@localhost -T hostname
|
|
cleanup_command: |
|
|
[ "$(uname)" = 'FreeBSD' ] && rmuser -y testuser1 || userdel -f testuser1
|
|
name: sh
|
|
|
|
- name: Clear Docker Container Logs
|
|
auto_generated_guid: 553b39f9-1e8c-47b1-abf5-8daf7b0391e9
|
|
description: |
|
|
Clears Docker container logs using the Docker CLI and the truncate command, removing all log entries.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: bash
|
|
command: |
|
|
docker container prune -f && sudo truncate -s 0 /var/lib/docker/containers/*/*-json.log
|
|
elevation_required: true
|
|
- name: Prevent Powershell History Logging
|
|
auto_generated_guid: 2f898b81-3e97-4abb-bc3f-a95138988370
|
|
description: |
|
|
Prevents Powershell history
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
Set-PSReadlineOption -HistorySaveStyle SaveNothing
|
|
name: powershell
|
|
cleanup_command: 'Set-PSReadLineOption -HistorySaveStyle SaveIncrementally'
|
|
|
|
- name: Clear Powershell History by Deleting History File
|
|
auto_generated_guid: da75ae8d-26d6-4483-b0fe-700e4df4f037
|
|
description: |
|
|
Clears Powershell history
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
Remove-Item (Get-PSReadlineOption).HistorySavePath
|
|
name: powershell
|
|
|
|
- name: Set Custom AddToHistoryHandler to Avoid History File Logging
|
|
auto_generated_guid: 1d0d9aa6-6111-4f89-927b-53e8afae7f94
|
|
description: |
|
|
The "AddToHistoryHandler" receives the current command as the $line variable and then returns $true if
|
|
the line should be written to the history file. Here we simply return $false so nothing gets added to
|
|
the history file for the current session.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
Set-PSReadLineOption -AddToHistoryHandler { return $false }
|
|
cleanup_command: |
|
|
Set-PSReadLineOption -AddToHistoryHandler $null
|
|
name: powershell
|
|
- name: Clear PowerShell Session History
|
|
auto_generated_guid: 22c779cd-9445-4d3e-a136-f75adbf0315f
|
|
description: |
|
|
This technique involves using the Clear-History cmdlet in PowerShell to remove all records of previously executed commands.
|
|
This action is often performed by attackers to eliminate traces of their activities, making incident detection and forensic
|
|
investigation more challenging. By clearing the session history, adversaries aim to obfuscate their operational footprint.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
Clear-History
|
|
name: powershell
|
|
elevation_required: false
|