Update T1146.md

defense evasion/T1146/T1146.md

@@ -5,23 +5,30 @@
 # How to Detect  
 
 ## Simulating the attack 
-
+```
 rm ~/.bash_history
-
+```
+```
 echo " " > .bash_history
-
+```
+```
 cat /dev/null > ~/.bash_history
-
+```
+```
 ln -sf /dev/null ~/.bash_history
-
+```
+```
 truncate -s0 ~/.bash_history
-
+```
+```
 unset HISTFILE
-
+```
+```
 export HISTFILESIZE=0
-
+```
+```
 history -c
-
+```
 ## Data sources required to detect the attack
 
 auditlogs (audit.rules)
@@ -33,31 +40,31 @@ bash_history logs
 ### auditlogs(syscalls)
 
 #### rm -rf  ~/.bash_history 
-
+```
 index=linux sourcetype=linux_audit syscall=263 | table time,host,auid,uid,euid,exe,key
 
 index=linux sourcetype=linux_audit type=PATH name=.bash_history nametype=delete | table time,name,nametype
-
+```
 #### echo " " > .bash_history
-
+```
 index=linux sourcetype="linux_audit" bash_history_changes exe!=/home/ec2-user/splunk/bin/splunkd syscall=257 a2!=0 AND a3!=0 | table host,syscall,syscall_name,exe,auid
-
+```
 #### Note: 
 
 a2!=0 and a3!=0 are added in to the query to distinuish echo and cat - both logs Systemcall 257 (openat). Morover, when a user logsin through ssh - SYSCALL 257 is used with exe=/usr/bin/bash (2 events generated)for /home/$USER/.bash_history; however in that case the command arguments a2=0 and a3=0 ; when we use command "echo " "> .bash_history"  the same systemcall (257) and the same exe = /usr/bin/bash is used however command arguments a2!=0 and a3!=0.
 
 index=linux sourcetype="linux_audit" bash_history_changes exe!=/home/ec2-user/splunk/bin/splunkd syscall=257 exe=/usr/bin/bash a2!=0 AND a3!=0| table host,syscall,syscall_name,exe,auid
 
 #### Audit-rules 
-
+```
 -a always,exit -F arch=b64 -F PATH=/home/ec2-user/.bash_history -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete_bash_history
 
 -w /home/ec2-user/.bash_history -p rwa -k bash_history_changes
-
+```
 ### bash_history 
-
+```
 index=linux sourcetype="bash_history"  "rm * .bash_history"
-
+```
 ## Caution
 
 #### Note: