Tampering of Shell Command-Line History

Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/05/04"
  3integration = ["endpoint", "auditd_manager"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic
 11investigations.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Tampering of Shell Command-Line History"
 18references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"]
 19risk_score = 47
 20rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
 21setup = """## Setup
 22
 23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 24events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 25Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 26`event.ingested` to @timestamp.
 27For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 28"""
 29severity = "medium"
 30tags = [
 31    "Domain: Endpoint",
 32    "OS: Linux",
 33    "OS: macOS",
 34    "Use Case: Threat Detection",
 35    "Tactic: Defense Evasion",
 36    "Data Source: Elastic Defend",
 37    "Data Source: Elastic Endgame",
 38    "Data Source: Auditd Manager",
 39    "Resources: Investigation Guide",
 40]
 41timestamp_override = "event.ingested"
 42type = "eql"
 43
 44query = '''
 45process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and
 46 (
 47  ((process.args : ("rm", "echo") or
 48    (process.args : "ln" and process.args : "-sf" and process.args : "/dev/null") or
 49    (process.args : "truncate" and process.args : "-s0"))
 50    and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history","/Users/.bash_history", "/Users/*/.bash_history",
 51                        ".zsh_history", "/root/.zsh_history", "/home/*/.zsh_history", "/Users/.zsh_history", "/Users/*/.zsh_history")) or
 52  (process.args : "history" and process.args : "-c") or
 53  (process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or
 54  (process.args : "unset" and process.args : "HISTFILE") or
 55  (process.args : "set" and process.args : "history" and process.args : "+o")
 56 )
 57'''
 58note = """## Triage and analysis
 59
 60> **Disclaimer**:
 61> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 62
 63### Investigating Tampering of Shell Command-Line History
 64
 65Shell command-line history is a crucial feature in Unix-like systems, recording user commands for convenience and auditing. Adversaries may manipulate this history to hide their tracks, using commands to delete or redirect history files, clear history buffers, or disable history logging. The detection rule identifies such tampering by monitoring for suspicious command patterns and arguments indicative of history manipulation attempts.
 66
 67### Possible investigation steps
 68
 69- Review the process execution details to identify the user account associated with the suspicious command, focusing on the process.args field to determine the specific command and arguments used.
 70- Check the process execution timeline to correlate the suspicious activity with other events on the system, such as logins or file modifications, to understand the context of the tampering attempt.
 71- Investigate the command history files (.bash_history, .zsh_history) for the affected user accounts to assess the extent of tampering and identify any commands that may have been executed prior to the history manipulation.
 72- Examine system logs and audit records for any additional indicators of compromise or related suspicious activities, such as unauthorized access attempts or privilege escalation events.
 73- Verify the current configuration of the HISTFILE and HISTFILESIZE environment variables for the affected user accounts to ensure they have not been altered to disable history logging.
 74
 75### False positive analysis
 76
 77- System administrators or automated scripts may clear command-line history as part of routine maintenance or privacy measures. To handle this, identify and whitelist known scripts or user accounts that perform these actions regularly.
 78- Developers or power users might redirect or unset history files to manage disk space or for personal preference. Consider excluding specific user accounts or directories from monitoring if these actions are verified as non-malicious.
 79- Security tools or compliance scripts may execute commands that resemble history tampering to ensure systems are in a desired state. Review and exclude these tools from triggering alerts by adding them to an exception list.
 80- Temporary testing environments or sandboxed systems might frequently clear history as part of their reset processes. Exclude these environments from the rule to prevent unnecessary alerts.
 81- Users with privacy concerns might intentionally disable history logging. Engage with these users to understand their needs and adjust monitoring policies accordingly, possibly by excluding their sessions from the rule.
 82
 83### Response and remediation
 84
 85- Immediately isolate the affected system from the network to prevent further tampering or data exfiltration.
 86- Conduct a thorough review of the affected user's recent command history and system logs to identify any unauthorized or suspicious activities that may have occurred prior to the tampering.
 87- Restore the tampered history files from a secure backup, if available, to aid in further forensic analysis and ensure continuity of auditing.
 88- Re-enable and secure shell history logging by resetting the HISTFILE and HISTFILESIZE environment variables to their default values and ensuring they are not set to null or zero.
 89- Implement stricter access controls and monitoring on the affected system to prevent unauthorized users from modifying shell history files in the future.
 90- Escalate the incident to the security operations team for further investigation and to determine if additional systems may have been compromised.
 91- Review and update endpoint detection and response (EDR) configurations to enhance monitoring for similar tampering attempts, ensuring alerts are generated for any future suspicious command patterns."""
 92
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1070"
 98name = "Indicator Removal"
 99reference = "https://attack.mitre.org/techniques/T1070/"
100[[rule.threat.technique.subtechnique]]
101id = "T1070.003"
102name = "Clear Command History"
103reference = "https://attack.mitre.org/techniques/T1070/003/"
104
105
106
107[rule.threat.tactic]
108id = "TA0005"
109name = "Defense Evasion"
110reference = "https://attack.mitre.org/tactics/TA0005/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Shell command-line history is a crucial feature in Unix-like systems, recording user commands for convenience and auditing. Adversaries may manipulate this history to hide their tracks, using commands to delete or redirect history files, clear history buffers, or disable history logging. The detection rule identifies such tampering by monitoring for suspicious command patterns and arguments indicative of history manipulation attempts.

  • Review the process execution details to identify the user account associated with the suspicious command, focusing on the process.args field to determine the specific command and arguments used.
  • Check the process execution timeline to correlate the suspicious activity with other events on the system, such as logins or file modifications, to understand the context of the tampering attempt.
  • Investigate the command history files (.bash_history, .zsh_history) for the affected user accounts to assess the extent of tampering and identify any commands that may have been executed prior to the history manipulation.
  • Examine system logs and audit records for any additional indicators of compromise or related suspicious activities, such as unauthorized access attempts or privilege escalation events.
  • Verify the current configuration of the HISTFILE and HISTFILESIZE environment variables for the affected user accounts to ensure they have not been altered to disable history logging.
  • System administrators or automated scripts may clear command-line history as part of routine maintenance or privacy measures. To handle this, identify and whitelist known scripts or user accounts that perform these actions regularly.
  • Developers or power users might redirect or unset history files to manage disk space or for personal preference. Consider excluding specific user accounts or directories from monitoring if these actions are verified as non-malicious.
  • Security tools or compliance scripts may execute commands that resemble history tampering to ensure systems are in a desired state. Review and exclude these tools from triggering alerts by adding them to an exception list.
  • Temporary testing environments or sandboxed systems might frequently clear history as part of their reset processes. Exclude these environments from the rule to prevent unnecessary alerts.
  • Users with privacy concerns might intentionally disable history logging. Engage with these users to understand their needs and adjust monitoring policies accordingly, possibly by excluding their sessions from the rule.
  • Immediately isolate the affected system from the network to prevent further tampering or data exfiltration.
  • Conduct a thorough review of the affected user's recent command history and system logs to identify any unauthorized or suspicious activities that may have occurred prior to the tampering.
  • Restore the tampered history files from a secure backup, if available, to aid in further forensic analysis and ensure continuity of auditing.
  • Re-enable and secure shell history logging by resetting the HISTFILE and HISTFILESIZE environment variables to their default values and ensuring they are not set to null or zero.
  • Implement stricter access controls and monitoring on the affected system to prevent unauthorized users from modifying shell history files in the future.
  • Escalate the incident to the security operations team for further investigation and to determine if additional systems may have been compromised.
  • Review and update endpoint detection and response (EDR) configurations to enhance monitoring for similar tampering attempts, ensuring alerts are generated for any future suspicious command patterns.

References

Related rules

to-top