1. Home
  2. Techniques
  3. Enterprise
  4. Unsecured Credentials
  5. Shell History

Unsecured Credentials: Shell History

ID Name
T1552.001 Credentials In Files
T1552.002 Credentials in Registry
T1552.003 Shell History
T1552.004 Private Keys
T1552.005 Cloud Instance Metadata API
T1552.006 Group Policy Preferences
T1552.007 Container API
T1552.008 Chat Messages

Adversaries may search the command history on compromised systems for insecurely stored credentials.

On Linux and macOS systems, shells such as Bash and Zsh keep track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user's history file. For each user, this file resides at the same location: for example, ~/.bash_history or ~/.zsh_history. Typically, these files keeps track of the user's last 1000 commands.

On Windows, PowerShell has both a command history that is wiped after the session ends, and one that contains commands used in all sessions and is persistent. The default location for persistent history can be found in %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt, but command history can also be accessed with Get-History. Command Prompt (CMD) on Windows does not have persistent history.[1][2]

Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials.[3]

ID: T1552.003
Sub-technique of:  T1552
Tactic: Credential Access
Platforms: Linux, Windows, macOS
Contributors: Avioo360; Raja Singh (raja-singh-r3v-sh3ll)
Version: 2.0
Created: 04 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0599 Kinsing

Kinsing has searched bash_history for credentials.[4]

Mitigations

ID Mitigation Description
M1028 Operating System Configuration

There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands:
set +o history and set -o history to start logging again;
unset HISTFILE being added to a user's .bash_rc file; and
ln -s /dev/null ~/.bash_history to write commands to /dev/null instead.

In Zsh, fc -p can be used to create a private history session. However, previous history will be unavailable to the user until the session ends. Using unset HISTFILE and writing commands to /dev/null can also be used, similarly to Bash.

In PowerShell, users can utilize Set-PSReadLineOption to modify how commands are saved into history. Setting -HistorySaveStyle SaveNothing prevents command history from being saved onto the file. Note that setting it from SaveNothing to SaveIncrementally in the same session will cause all commands from that session to be saved. Alternatively, -AddToHistoryHandler can be used to filter certain commands from being saved into the history file.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0385 Detect Access and Parsing of .bash_history Files for Credential Harvesting AN1085

A process outside of interactive shell context reads ~/.bash_history directly (e.g., using cat, less, grep), often shortly after privilege escalation or user switch (su/sudo). This may be followed by credential scanning in memory or file writes to new locations.
AN1086

A process or terminal command outside of standard shell utilities reads the user's .bash_history file. On macOS, unified logs or telemetry tools like EndpointSecurity (ESF) may observe file read APIs or terminal process lineage that shows non-user-initiated access.

References

  1. Microsoft. (2024, January 19). about_History. Retrieved June 13, 2025.
  2. Michael Koczwara. (2021, March 14). Windows privilege escalation via PowerShell History. Retrieved June 13, 2025.
  1. Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved September 12, 2024.
  2. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.