security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc495c1192fda69bd1ed33a13d7590ef055eee09
atomic-red-team/atomics/T1146/T1146.md
T
CircleCI Atomic Red Team doc generator 65fd85dd3c Generate docs from job=validate_atomics_generate_docs branch=uppercase-everything
2018-05-23 23:09:31 +00:00

110 lines
3.4 KiB
Markdown
Raw Blame History

# T1146 - Clear Command History
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1146)
<blockquote>macOS and Linux both keep track of the commands users type in their terminal so that users can easily remember what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such as <code>unset HISTFILE</code>, <code>export HISTFILESIZE=0</code>, <code>history -c</code>, <code>rm ~/.bash_history</code>.
Detection: User authentication, especially via remote terminal services like SSH, without new entries in that user's <code>~/.bash_history</code> is suspicious. Additionally, the modification of the HISTFILE and HISTFILESIZE environment variables or the removal/clearing of the <code>~/.bash_history</code> file are indicators of suspicious activity.
Platforms: Linux, macOS
Data Sources: Authentication logs, File monitoring
Defense Bypassed: Log analysis, Host forensic analysis
Permissions Required: User</blockquote>
## Atomic Tests
- [Atomic Test #1 - Clear Bash history (rm)](#atomic-test-1---clear-bash-history-rm)
- [Atomic Test #2 - Clear Bash history (echo)](#atomic-test-2---clear-bash-history-echo)
- [Atomic Test #3 - Clear Bash history (cat dev/null)](#atomic-test-3---clear-bash-history-cat-devnull)
- [Atomic Test #4 - Clear Bash history (ln dev/null)](#atomic-test-4---clear-bash-history-ln-devnull)
- [Atomic Test #5 - Clear Bash history (truncate)](#atomic-test-5---clear-bash-history-truncate)
- [Atomic Test #6 - Clear history of a bunch of shells](#atomic-test-6---clear-history-of-a-bunch-of-shells)
<br/>
## Atomic Test #1 - Clear Bash history (rm)
Clears bash history via rm
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
rm ~/.bash_history
```
<br/>
<br/>
## Atomic Test #2 - Clear Bash history (echo)
Clears bash history via rm
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
echo "" > ~/.bash_history
```
<br/>
<br/>
## Atomic Test #3 - Clear Bash history (cat dev/null)
Clears bash history via cat /dev/null
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
cat /dev/null > ~/.bash_history
```
<br/>
<br/>
## Atomic Test #4 - Clear Bash history (ln dev/null)
Clears bash history via a symlink to /dev/null
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
ln -sf /dev/null ~/.bash_history
```
<br/>
<br/>
## Atomic Test #5 - Clear Bash history (truncate)
Clears bash history via truncate
**Supported Platforms:** Linux
#### Run it with `sh`!
```
truncate -s0 ~/.bash_history
```
<br/>
<br/>
## Atomic Test #6 - Clear history of a bunch of shells
Clears the history of a bunch of different shell types by setting the history size to zero
**Supported Platforms:** Linux
#### Run it with `sh`!
```
unset HISTFILE
export HISTFILESIZE=0
history -c
```
<br/>
Reference in New Issue View Git Blame Copy Permalink