CircleCI Atomic Red Team doc generator
2.9 KiB
2.9 KiB
T1146 - Clear Command History
Description from ATT&CK
macOS and Linux both keep track of the commands users type in their terminal so that users can easily remember what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variableHISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such asunset HISTFILE,export HISTFILESIZE=0,history -c,rm ~/.bash_history.
Atomic Tests
Atomic Test #1 - Clear Bash history (rm)
Clears bash history via rm
Supported Platforms: Linux, macOS
Run it with sh!
rm ~/.bash_history
Atomic Test #2 - Clear Bash history (echo)
Clears bash history via rm
Supported Platforms: Linux, macOS
Run it with sh!
echo "" > ~/.bash_history
Atomic Test #3 - Clear Bash history (cat dev/null)
Clears bash history via cat /dev/null
Supported Platforms: Linux, macOS
Run it with sh!
cat /dev/null > ~/.bash_history
Atomic Test #4 - Clear Bash history (ln dev/null)
Clears bash history via a symlink to /dev/null
Supported Platforms: Linux, macOS
Run it with sh!
ln -sf /dev/null ~/.bash_history
Atomic Test #5 - Clear Bash history (truncate)
Clears bash history via truncate
Supported Platforms: Linux
Run it with sh!
truncate -s0 ~/.bash_history
Atomic Test #6 - Clear history of a bunch of shells
Clears the history of a bunch of different shell types by setting the history size to zero
Supported Platforms: Linux, macOS
Run it with sh!
unset HISTFILE
export HISTFILESIZE=0
history -c