Atomic Red Team doc generator
3.1 KiB
T1552.003 - Unsecured Credentials: Bash History
Description from ATT&CK
Adversaries may search the command history on compromised systems for insecurely stored credentials.
On Linux and macOS systems, shells such as Bash and Zsh keep track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user's history file. For each user, this file resides at the same location: for example,
~/.bash_historyor~/.zsh_history. Typically, these files keeps track of the user's last 1000 commands.On Windows, PowerShell has both a command history that is wiped after the session ends, and one that contains commands used in all sessions and is persistent. The default location for persistent history can be found in
%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt, but command history can also be accessed withGet-History. Command Prompt (CMD) on Windows does not have persistent history.(Citation: Microsoft about_History)(Citation: Medium)Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials.(Citation: External to DA, the OS X Way)
Atomic Tests
Atomic Test #1 - Search Through Bash History
Search through bash history for specifice commands we want to capture
Supported Platforms: Linux, macOS
auto_generated_guid: 3cfde62b-7c33-4b26-a61e-755d6131c8ce
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | path | ~/loot.txt |
| bash_history_grep_args | grep arguments that filter out specific commands we want to capture | path | -e '-p ' -e 'pass' -e 'ssh' |
| bash_history_filename | Path of the bash history file to capture | path | ~/.bash_history |
Attack Commands: Run with sh!
cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}
Atomic Test #2 - Search Through sh History
Search through sh history for specifice commands we want to capture
Supported Platforms: Linux
auto_generated_guid: d87d3b94-05b4-40f2-a80f-99864ffa6803
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | path | ~/loot.txt |
| sh_history_grep_args | grep arguments that filter out specific commands we want to capture | path | -e '-p ' -e 'pass' -e 'ssh' |
| sh_history_filename | Path of the sh history file to capture | path | ~/.history |
Attack Commands: Run with sh!
cat #{sh_history_filename} | grep #{sh_history_grep_args} > #{output_file}