security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
remove_ruby
atomic-red-team/atomics/T1690/T1690.yaml
T
philhagen-rc 113f30c97c Attack v19 migration (#3329)
2026-05-01 23:10:14 -04:00

267 lines
13 KiB
YAML
Raw Permalink Blame History

attack_technique: T1690
display_name: 'Prevent Command History Logging'
atomic_tests:
- name: Disable history collection
auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5
description: |
Disables history collection in shells
supported_platforms:
- linux
- macos
input_arguments:
evil_command:
description: Command to run after shell history collection is disabled
type: string
default: whoami
executor:
command: |
export HISTCONTROL=ignoreboth
#{evil_command}
name: sh
- name: Disable history collection (freebsd)
auto_generated_guid: cada55b4-8251-4c60-819e-8ec1b33c9306
description: |
Disables history collection in shells
supported_platforms:
- linux
input_arguments:
evil_command:
description: Command to run after shell history collection is disabled
type: string
default: whoami
executor:
command: |
export HISTSIZE=0
#{evil_command}
name: sh
- name: Mac HISTCONTROL
auto_generated_guid: 468566d5-83e5-40c1-b338-511e1659628d
description: |
The HISTCONTROL variable is set to ignore (not write to the history file) command that are a duplicate of something already in the history
and commands that start with a space. This atomic sets this variable in the current session and also writes it to the current user's ~/.bash_profile
so that it will apply to all future settings as well.
https://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcontrol
supported_platforms:
- macos
- linux
executor:
steps: |
1. export HISTCONTROL=ignoreboth
2. echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile
3. ls
4. whoami > recon.txt
name: manual
- name: Clear bash history
auto_generated_guid: 878794f7-c511-4199-a950-8c28b3ed8e5b
description: |
An attacker may clear the bash history cache and the history file as their last act before logging off to remove the record of their command line activities.
In this test we use the $HISTFILE variable throughout to 1. confirms the $HISTFILE variable is set 2. echo "" into it 3..5 confirm the file is empty 6 clear the history cache 7. confirm the history cache is empty. This is when the attacker would logoff.
supported_platforms:
- linux
executor:
name: bash
elevation_required: false
command: |
cp $HISTFILE $HISTFILE.OLD
if ((${#HISTFILE[@]})); then echo $HISTFILE; fi
echo "" > $HISTFILE
if [ $(wc -c <$HISTFILE) -gt 1 ]; then echo "$HISTFILE is larger than 1k"; fi
ls -la $HISTFILE
cat $HISTFILE
history -c
if [ $(history |wc -l) -eq 1 ]; then echo "History cache cleared"; fi
cleanup_command: |
mv -f $HISTFILE.OLD $HISTFILE
- name: Setting the HISTCONTROL environment variable
auto_generated_guid: 10ab786a-028e-4465-96f6-9e83ca6c5f24
description: |
An attacker may exploit the space before a command (e.g. " ls") or the duplicate command suppression feature in Bash history to prevent their commands from being recorded in the history file or to obscure the order of commands used.
In this test we 1. sets $HISTCONTROL to ignoreboth 2. clears the history cache 3. executes ls -la with a space in-front of it 4. confirms that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups 6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms that their is only one command in history
supported_platforms:
- linux
executor:
name: bash
elevation_required: false
command: |
TEST=$(echo $HISTCONTROL)
if [ "$HISTCONTROL" != "ignoreboth" ]; then export HISTCONTROL="ignoreboth"; fi
history -c
ls -la $HISTFILE # " ls -la $HISTFILE"
if [ $(history |wc -l) -eq 1 ]; then echo "ls -la is not in history cache"; fi
if [ "$HISTCONTROL" != "erasedups" ]; then export HISTCONTROL="erasedups"; fi
history -c
ls -la $HISTFILE
ls -la $HISTFILE
ls -la $HISTFILE
if [ $(history |wc -l) -eq 2 ]; then echo "Their is only one entry for ls -la $HISTFILE"; fi
cleanup_command: |
export HISTCONTROL=$(echo $TEST)
- name: Setting the HISTFILESIZE environment variable
auto_generated_guid: 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
description: |
An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
supported_platforms:
- linux
executor:
name: bash
elevation_required: false
command: |
TEST=$(echo $HISTFILESIZE)
echo $HISTFILESIZE
export HISTFILESIZE=0
echo "runnning some commands to populate the history"
whoami
groups
if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; else HIST_LENGHT=$(wc -l $HISTFILE); echo "\$HISTFILESIZE is not zero, history lenght is $HIST_LENGHT"; fi
cleanup_command: |
export HISTCONTROL=$(echo $TEST)
- name: Setting the HISTSIZE environment variable
auto_generated_guid: 386d3850-2ce7-4508-b56b-c0558922c814
description: |
An Adversary may set the sh history files size environment variable (HISTSIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
Note: we don't wish to log out, so we are just confirming the value of HISTSIZE. In this test we 1. echo HISTSIZE 2. set it to zero 3. confirm that HISTSIZE is set to zero.
supported_platforms:
- linux
executor:
name: sh
elevation_required: false
command: |
echo $HISTSIZE
export HISTSIZE=0
echo "runnning some commands to populate the history"
whoami
groups
if [ $(echo $HISTSIZE) -eq 0 ]; then echo "\$HISTSIZE is zero"; else HIST_LENGTH=$(wc -l $HISTFILE); echo "\$HISTSIZE is not zero, history size is $HIST_LENGTH"; fi
cleanup_command: |
export HISTSIZE=100
- name: Setting the HISTFILE environment variable
auto_generated_guid: b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
description: |
An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
supported_platforms:
- linux
executor:
name: bash
elevation_required: false
command: |
TEST=$(echo $HISTFILE)
echo $HISTFILE
export HISTFILE="/dev/null"
echo "runnning some commands to populate the history"
whoami
groups
if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; else HIST_LENGHT=$(wc -l $HISTFILE); echo "\$HISTFILE is not /dev/null, history lenght is $HIST_LENGHT"; fi
cleanup_command: |
export HISTFILE=$(echo $TEST)
- name: Setting the HISTFILE environment variable (freebsd)
auto_generated_guid: f7308845-6da8-468e-99f2-4271f2f5bb67
description: |
An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
supported_platforms:
- linux
executor:
name: sh
elevation_required: false
command: |
echo $HISTFILE
export HISTFILE="/dev/null"
if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
cleanup_command: |
export HISTFILE=~/.sh_history
- name: Setting the HISTIGNORE environment variable
auto_generated_guid: f12acddb-7502-4ce6-a146-5b62c59592f1
description: |
An Adversary may take advantage of the HISTIGNORE environment variable either to ignore particular commands or all commands.
In this test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this history cache 3..4 execute ls commands 5. confirm that the ls commands are not in the history cache 6. unset HISTIGNORE variable 7.. same again, but ignoring ALL commands.
supported_platforms:
- linux
executor:
name: bash
elevation_required: false
command: |
if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='ls*:rm*:ssh*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
history -c
ls -la $HISTFILE
ls -la ~/.bash_logout
if [ $(history |wc -l) -eq 1 ]; then echo "ls commands are not in history"; fi
unset HISTIGNORE
if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
history -c
whoami
groups
if [ $(history |wc -l) -eq 0 ]; then echo "History cache is empty"; fi
cleanup_command: |
unset HISTIGNORE
- name: Disable Windows Command Line Auditing using reg.exe
auto_generated_guid: 1329d5ab-e10e-4e5e-93d1-4d907eb656e5
description: |
In Windows operating systems, command line auditing is controlled through the following registry value:
Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
Registry Value: ProcessCreationIncludeCmdLine_Enabled
When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
Because this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both:
Process Creation events for reg.exe (Windows Event ID 4688, Sysmon Event ID 1)
Registry events (Windows Event ID 4657, Sysmon Event ID 13)
Read more here:
https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f
cleanup_command: |
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
- name: Disable Windows Command Line Auditing using Powershell Cmdlet
auto_generated_guid: 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa
description: |
In Windows operating systems, command line auditing is controlled through the following registry value:
Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
Registry Value: ProcessCreationIncludeCmdLine_Enabled
When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
Because this attack runs a Powershell cmdlet, this attack can be detected by monitoring both:
Powershell Logging (Windows Powershell Event ID 400, 800, 4103, 4104)
Registry events (Windows Event ID 4657, Sysmon Event ID 13)
Read more here:
https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key
supported_platforms:
- windows
executor:
name: powershell
elevation_required: true
command: |
New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore
cleanup_command: |
New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force -ErrorAction Ignore
Reference in New Issue View Git Blame Copy Permalink