A process outside of interactive shell context reads ~/.bash_history directly (e.g., using cat, less, grep), often shortly after privilege escalation or user switch (su/sudo). This may be followed by credential scanning in memory or file writes to new locations.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | open/read access to ~/.bash_history |
| Process Creation (DC0032) | auditd:EXECVE | cat|less|grep accessing .bash_history from a non-shell process |
| File Creation (DC0039) | auditd:SYSCALL | write or create file after .bash_history access |
| Field | Description |
|---|---|
| UserContext | Filter by users with elevated privileges or service accounts |
| TimeWindow | Correlate access to .bash_history within X seconds of user switch or privilege escalation |
| ProcessNamePatterns | Add/remove CLI utilities used to read bash history |
A process or terminal command outside of standard shell utilities reads the user's .bash_history file. On macOS, unified logs or telemetry tools like EndpointSecurity (ESF) may observe file read APIs or terminal process lineage that shows non-user-initiated access.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | macos:endpointsecurity | open or read syscall to ~/.bash_history |
| Process Metadata (DC0034) | macos:unifiedlog | non-shell process tree accessing bash history |
| Field | Description |
|---|---|
| ParentProcessCheck | Scope access to .bash_history only if parent is not Terminal.app or bash/zsh |
| AccessFrequency | Raise priority if .bash_history is accessed multiple times in short window |