From 1e4ef648db0714c7a2346fd8d1cf7902dbc971f1 Mon Sep 17 00:00:00 2001
From: Galapag0s <47836093+Galapag0s@users.noreply.github.com>
Date: Thu, 26 Sep 2019 12:53:13 -0400
Subject: [PATCH] Added Additional history clearing options

history -w will clear the current shell history
shred purposely overwrites data replacing it with random data
---
 rules/linux/lnx_shell_clear_cmd_history.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rules/linux/lnx_shell_clear_cmd_history.yml b/rules/linux/lnx_shell_clear_cmd_history.yml
index ec1dda650..d8d5796e1 100644
--- a/rules/linux/lnx_shell_clear_cmd_history.yml
+++ b/rules/linux/lnx_shell_clear_cmd_history.yml
@@ -4,6 +4,7 @@ description: Clear command history in linux which is used for defense evasion.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml
     - https://attack.mitre.org/techniques/T1146/
+    - https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics
 author: Patrick Bareiss
 date: 2019/03/24
 logsource:
@@ -18,6 +19,8 @@ detection:
         # - 'unset HISTFILE'  # prone to false positives
         - 'export HISTFILESIZE=0'
         - 'history -c'
+        - 'history -w'
+        - 'shred *bash_history'
     condition: keywords
 falsepositives:
     - Unknown