T1552.003 - Bash History

Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the “history” utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)

Atomic Tests

Atomic Test #1 - Search Through Bash HistorySearch through bash history for specifice commands we want to capture

Supported Platforms: linux, macos#### Attack Commands: Run with sh

cat ~/.bash_history | grep -e '-p ' -e 'pass' -e 'ssh' > ~/loot.txt

Invoke-AtomicTest T1552.003 -TestNumbers 1

Atomic Test #2 - Search Through sh HistorySearch through sh history for specifice commands we want to capture

Supported Platforms: linux#### Attack Commands: Run with sh

cat ~/.history | grep -e '-p ' -e 'pass' -e 'ssh' > ~/loot.txt

Invoke-AtomicTest T1552.003 -TestNumbers 2

Detection

Monitoring when the user’s .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like “history” instead of commands like cat ~/.bash_history.