From c9f50a2d5c4a2adcba8ea69532c8bef89acc89fe Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Fri, 5 Jul 2024 12:58:07 +0100 Subject: [PATCH] Update defense_evasion_deletion_of_bash_command_line_history.toml (#3614) * Update defense_evasion_deletion_of_bash_command_line_history.toml * Update defense_evasion_deletion_of_bash_command_line_history.toml --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson (cherry picked from commit 1d57e0c779e1d4d313163742332334846ccf427b) --- ...defense_evasion_deletion_of_bash_command_line_history.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index 8a55874a9..3e7e48176 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/04" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/07/05" [rule] author = ["Elastic"] @@ -47,7 +47,7 @@ process where event.action in ("exec", "exec_event", "executed", "process_starte (process.args : "truncate" and process.args : "-s0")) and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history","/Users/.bash_history", "/Users/*/.bash_history", ".zsh_history", "/root/.zsh_history", "/home/*/.zsh_history", "/Users/.zsh_history", "/Users/*/.zsh_history")) or - (process.name : "history" and process.args : "-c") or + (process.args : "history" and process.args : "-c") or (process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or (process.args : "unset" and process.args : "HISTFILE") or (process.args : "set" and process.args : "history" and process.args : "+o")