security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc495c1192fda69bd1ed33a13d7590ef055eee09
atomic-red-team/atomics/T1148/T1148.md
T
CircleCI Atomic Red Team doc generator 65fd85dd3c Generate docs from job=validate_atomics_generate_docs branch=uppercase-everything
2018-05-23 23:09:31 +00:00

39 lines
2.1 KiB
Markdown
Raw Blame History

# T1146 - Clear Command History
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1146)
<blockquote>macOS and Linux both keep track of the commands users type in their terminal so that users can easily remember what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such as <code>unset HISTFILE</code>, <code>export HISTFILESIZE=0</code>, <code>history -c</code>, <code>rm ~/.bash_history</code>.
Detection: User authentication, especially via remote terminal services like SSH, without new entries in that user's <code>~/.bash_history</code> is suspicious. Additionally, the modification of the HISTFILE and HISTFILESIZE environment variables or the removal/clearing of the <code>~/.bash_history</code> file are indicators of suspicious activity.
Platforms: Linux, macOS
Data Sources: Authentication logs, File monitoring
Defense Bypassed: Log analysis, Host forensic analysis
Permissions Required: User</blockquote>
## Atomic Tests
- [Atomic Test #1 - Disable history collection](#atomic-test-1---disable-history-collection)
<br/>
## Atomic Test #1 - Disable history collection
Disables history collection in shells
**Supported Platforms:** Linux, macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| evil_command | Command to run after shell history collection is disabled | String | whoami|
#### Run it with `sh`!
```
export HISTCONTROL=ignoreboth
ls #{evil_command}
```
<br/>
Reference in New Issue View Git Blame Copy Permalink