Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

71 lines (58 sloc) 3.15 KB

T1146 - Clear Command History

Description from ATT&CK

macOS and Linux both keep track of the commands users type in their terminal so that users can easily remember what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such as unset HISTFILE, export HISTFILESIZE=0, history -c, rm ~/.bash_history.

How to Detect

Simulating the attack

rm ~/.bash_history
echo " " > .bash_history
cat /dev/null > ~/.bash_history
ln -sf /dev/null ~/.bash_history
truncate -s0 ~/.bash_history
unset HISTFILE
export HISTFILESIZE=0
history -c

Data sources required to detect the attack

auditlogs (audit.rules)

bash_history logs

Splunk Queries to detect the attack

auditlogs(syscalls)

rm -rf ~/.bash_history

index=linux sourcetype=linux_audit syscall=263 | table time,host,auid,uid,euid,exe,key

index=linux sourcetype=linux_audit type=PATH name=.bash_history nametype=delete | table time,name,nametype

echo " " > .bash_history

index=linux sourcetype="linux_audit" bash_history_changes exe!=/home/ec2-user/splunk/bin/splunkd syscall=257 a2!=0 AND a3!=0 | table host,syscall,syscall_name,exe,auid

Note:

a2!=0 and a3!=0 are added in to the query to distinuish echo and cat - both logs Systemcall 257 (openat). Morover, when a user logsin through ssh - SYSCALL 257 is used with exe=/usr/bin/bash (2 events generated)for /home/$USER/.bash_history; however in that case the command arguments a2=0 and a3=0 ; when we use command "echo " "> .bash_history" the same systemcall (257) and the same exe = /usr/bin/bash is used however command arguments a2!=0 and a3!=0.

index=linux sourcetype="linux_audit" bash_history_changes exe!=/home/ec2-user/splunk/bin/splunkd syscall=257 exe=/usr/bin/bash a2!=0 AND a3!=0| table host,syscall,syscall_name,exe,auid

Audit-rules

-a always,exit -F arch=b64 -F PATH=/home/ec2-user/.bash_history -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete_bash_history

-w /home/ec2-user/.bash_history -p rwa -k bash_history_changes

bash_history

index=linux sourcetype="bash_history"  "rm * .bash_history"

Caution

Note:

Note: We need to add the rule for each users' bash_history file under their home location. Wildcard expression () is not accepted in the audit.rules so we can NOT create a rule that watches the path = /home//.bash_history

You can’t perform that action at this time.