Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history
file. For each user, this file resides at the same location: ~/.bash_history
. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials. [1]
ID | Mitigation | Description |
---|---|---|
M1028 | Operating System Configuration |
There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands: |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like |
DS0022 | File | File Access |
Monitoring when the user's |