T1552.003: Bash History
Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history
file. For each user, this file resides at the same location: ~/.bash_history
. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
unix_mitre_attck_cred_access: PT-CR-1691: Unix_History_File_Read: Unix OS files containing command history were read
Detection
ID | DS0022 | Data source and component | File: File Access | Description | Monitoring when the user's |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like |
---|
Mitigation
ID | M1028 | Name | Operating System Configuration | Description | There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands:
|
---|