Skip to content

Latest commit

 

History

History
109 lines (71 loc) · 3.41 KB

T1146.md

File metadata and controls

109 lines (71 loc) · 3.41 KB

T1146 - Clear Command History

macOS and Linux both keep track of the commands users type in their terminal so that users can easily remember what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such as unset HISTFILE, export HISTFILESIZE=0, history -c, rm ~/.bash_history.

Detection: User authentication, especially via remote terminal services like SSH, without new entries in that user's /.bash_history is suspicious. Additionally, the modification of the HISTFILE and HISTFILESIZE environment variables or the removal/clearing of the /.bash_history file are indicators of suspicious activity.

Platforms: Linux, macOS

Data Sources: Authentication logs, File monitoring

Defense Bypassed: Log analysis, Host forensic analysis

Permissions Required: User

Atomic Tests


Atomic Test #1 - Clear Bash history (rm)

Clears bash history via rm

Supported Platforms: Linux, macOS

Run it with sh!

rm ~/.bash_history


Atomic Test #2 - Clear Bash history (echo)

Clears bash history via rm

Supported Platforms: Linux, macOS

Run it with sh!

echo "" > ~/.bash_history


Atomic Test #3 - Clear Bash history (cat dev/null)

Clears bash history via cat /dev/null

Supported Platforms: Linux, macOS

Run it with sh!

cat /dev/null > ~/.bash_history


Atomic Test #4 - Clear Bash history (ln dev/null)

Clears bash history via a symlink to /dev/null

Supported Platforms: Linux, macOS

Run it with sh!

ln -sf /dev/null ~/.bash_history


Atomic Test #5 - Clear Bash history (truncate)

Clears bash history via truncate

Supported Platforms: Linux

Run it with sh!

truncate -s0 ~/.bash_history


Atomic Test #6 - Clear history of a bunch of shells

Clears the history of a bunch of different shell types by setting the history size to zero

Supported Platforms: Linux, macOS

Run it with sh!

unset HISTFILE
export HISTFILESIZE=0
history -c