Skip to content
This repository has been archived by the owner on Jan 16, 2024. It is now read-only.

Latest commit

 

History

History
40 lines (20 loc) · 1.63 KB

T1552.003.md

File metadata and controls

40 lines (20 loc) · 1.63 KB

T1552.003 - Bash History

Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)

Atomic Tests


Atomic Test #1 - Search Through Bash History

Search through bash history for specifice commands we want to capture

Supported Platforms: Linux, macOS

Inputs:

Name Description Type Default Value
output_file Path where captured results will be placed Path ~/loot.txt
bash_history_grep_args grep arguments that filter out specific commands we want to capture Path -e '-p ' -e 'pass' -e 'ssh'
bash_history_filename Path of the bash history file to capture Path ~/.bash_history

Attack Commands: Run with sh!

cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}