Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s.bash_historyfile. For each user, this file resides at the same location:~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)Detection: Monitoring when the user's
.bash_historyis read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands likecat ~/.bash_history.Platforms: Linux, macOS
Data Sources: File monitoring, Process monitoring, Process command-line parameters
Permissions Required: User
xxxx
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| bash_history_filename | Path of the bash history file to capture | Path | ~/.bash_history |
| bash_history_grep_args | grep arguments that filter out specific commands we want to capture | Path | -e '-p ' -e 'pass' -e 'ssh' |
| output_file | Path where captured results will be placed | Path | ~/loot.txt |
cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}