CircleCI Atomic Red Team doc generator
2.1 KiB
2.1 KiB
T1146 - Clear Command History
Description from ATT&CK
macOS and Linux both keep track of the commands users type in their terminal so that users can easily remember what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variableHISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such asunset HISTFILE,export HISTFILESIZE=0,history -c,rm ~/.bash_history.Detection: User authentication, especially via remote terminal services like SSH, without new entries in that user's
is suspicious. Additionally, the modification of the HISTFILE and HISTFILESIZE environment variables or the removal/clearing of the/.bash_history/.bash_historyfile are indicators of suspicious activity.Platforms: Linux, macOS
Data Sources: Authentication logs, File monitoring
Defense Bypassed: Log analysis, Host forensic analysis
Permissions Required: User
Atomic Tests
Atomic Test #1 - Disable history collection
Disables history collection in shells
Supported Platforms: Linux, macOS
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| evil_command | Command to run after shell history collection is disabled | String | whoami |
Run it with sh!
export HISTCONTROL=ignoreboth
ls #{evil_command}