Unsecured Credentials: Bash History

Other sub-techniques of Unsecured Credentials (8)

ID	Name
T1552.001	Credentials In Files
T1552.002	Credentials in Registry
T1552.003	Bash History
T1552.004	Private Keys
T1552.005	Cloud Instance Metadata API
T1552.006	Group Policy Preferences
T1552.007	Container API
T1552.008	Chat Messages

Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials. ^[1]

ID: T1552.003

Sub-technique of: T1552

ⓘ

Tactic: Credential Access

ⓘ

Platforms: Linux, macOS

Version: 1.2

Created: 04 February 2020

Last Modified: 12 September 2024

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
S0599	Kinsing	Kinsing has searched `bash_history` for credentials.^[2]

Mitigations

ID	Mitigation	Description
M1028	Operating System Configuration	There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands:`set +o history` and `set -o history` to start logging again;`unset HISTFILE` being added to a user's .bash_rc file; and`ln -s /dev/null ~/.bash_history` to write commands to `/dev/null`instead.

Detection

ID Data Source Data Component Detects

ID	Data Source	Data Component	Detects
DS0017	Command	Command Execution	While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like `cat ~/.bash_history`. Analytic 1 - Commands accessing .bash_historythrough unexpected means. `(index=os sourcetype="linux_secure" action="open" filepath="/home//.bash_history") OR(index=os sourcetype="macos_secure" event_type="open" file_path="/Users//.bash_history")`
DS0022	File	File Access	Monitoring when the user's `.bash_history` is read can help alert to suspicious activity. Analytic 1 - Unauthorized access to .bash_history. `(index=os sourcetype="linux_secure" action="open" filepath="/home//.bash_history") OR(index=os sourcetype="macos_secure" event_type="open" file_path="/Users//.bash_history") \| where User NOT IN ("root", "daemon", "bin", "nobody", "_spotlight", "_mbsetupuser")\| where NOT match(User, "^[a-z]+$") # Filter out common service accounts`

DS0017

Command

Command Execution

While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like cat ~/.bash_history.

Analytic 1 - Commands accessing .bash_historythrough unexpected means.

(index=os sourcetype="linux_secure" action="open" filepath="/home//.bash_history") OR(index=os sourcetype="macos_secure" event_type="open" file_path="/Users//.bash_history")

DS0022

File

File Access

Monitoring when the user's .bash_history is read can help alert to suspicious activity.

Analytic 1 - Unauthorized access to .bash_history.

(index=os sourcetype="linux_secure" action="open" filepath="/home//.bash_history") OR(index=os sourcetype="macos_secure" event_type="open" file_path="/Users//.bash_history") | where User NOT IN ("root", "daemon", "bin", "nobody", "_spotlight", "_mbsetupuser")| where NOT match(User, "^[a-z]+$") # Filter out common service accounts

References

Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved September 12, 2024.

Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.