security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc495c1192fda69bd1ed33a13d7590ef055eee09
atomic-red-team/atomics/T1146/T1146.md
T
CircleCI Atomic Red Team doc generator 65fd85dd3c Generate docs from job=validate_atomics_generate_docs branch=uppercase-everything
2018-05-23 23:09:31 +00:00

3.4 KiB
Raw Blame History

T1146 - Clear Command History

Description from ATT&CK

macOS and Linux both keep track of the commands users type in their terminal so that users can easily remember what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such as unset HISTFILE, export HISTFILESIZE=0, history -c, rm ~/.bash_history.

Detection: User authentication, especially via remote terminal services like SSH, without new entries in that user's /.bash_history is suspicious. Additionally, the modification of the HISTFILE and HISTFILESIZE environment variables or the removal/clearing of the /.bash_history file are indicators of suspicious activity.

Platforms: Linux, macOS

Data Sources: Authentication logs, File monitoring

Defense Bypassed: Log analysis, Host forensic analysis

Permissions Required: User

Atomic Tests


Atomic Test #1 - Clear Bash history (rm)

Clears bash history via rm

Supported Platforms: Linux, macOS

Run it with sh!

rm ~/.bash_history


Atomic Test #2 - Clear Bash history (echo)

Clears bash history via rm

Supported Platforms: Linux, macOS

Run it with sh!

echo "" > ~/.bash_history


Atomic Test #3 - Clear Bash history (cat dev/null)

Clears bash history via cat /dev/null

Supported Platforms: Linux, macOS

Run it with sh!

cat /dev/null > ~/.bash_history


Atomic Test #4 - Clear Bash history (ln dev/null)

Clears bash history via a symlink to /dev/null

Supported Platforms: Linux, macOS

Run it with sh!

ln -sf /dev/null ~/.bash_history


Atomic Test #5 - Clear Bash history (truncate)

Clears bash history via truncate

Supported Platforms: Linux

Run it with sh!

truncate -s0 ~/.bash_history


Atomic Test #6 - Clear history of a bunch of shells

Clears the history of a bunch of different shell types by setting the history size to zero

Supported Platforms: Linux

Run it with sh!

unset HISTFILE
export HISTFILESIZE=0
history -c

Reference in New Issue View Git Blame Copy Permalink