Tampering of Shell Command-Line History
Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/05/04"
3integration = ["endpoint", "auditd_manager"]
4maturity = "production"
5updated_date = "2024/09/23"
6
7[rule]
8author = ["Elastic"]
9description = """
10Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic
11investigations.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Tampering of Shell Command-Line History"
18references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"]
19risk_score = 47
20rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
21setup = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
24events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
25Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
26`event.ingested` to @timestamp.
27For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
28"""
29severity = "medium"
30tags = [
31 "Domain: Endpoint",
32 "OS: Linux",
33 "OS: macOS",
34 "Use Case: Threat Detection",
35 "Tactic: Defense Evasion",
36 "Data Source: Elastic Defend",
37 "Data Source: Elastic Endgame",
38 "Data Source: Auditd Manager",
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and
45 (
46 ((process.args : ("rm", "echo") or
47 (process.args : "ln" and process.args : "-sf" and process.args : "/dev/null") or
48 (process.args : "truncate" and process.args : "-s0"))
49 and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history","/Users/.bash_history", "/Users/*/.bash_history",
50 ".zsh_history", "/root/.zsh_history", "/home/*/.zsh_history", "/Users/.zsh_history", "/Users/*/.zsh_history")) or
51 (process.args : "history" and process.args : "-c") or
52 (process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or
53 (process.args : "unset" and process.args : "HISTFILE") or
54 (process.args : "set" and process.args : "history" and process.args : "+o")
55 )
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1070"
63name = "Indicator Removal"
64reference = "https://attack.mitre.org/techniques/T1070/"
65[[rule.threat.technique.subtechnique]]
66id = "T1070.003"
67name = "Clear Command History"
68reference = "https://attack.mitre.org/techniques/T1070/003/"
69
70
71
72[rule.threat.tactic]
73id = "TA0005"
74name = "Defense Evasion"
75reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Potential Disabling of AppArmor
- Attempt to Clear Kernel Ring Buffer
- Base16 or Base32 Encoding/Decoding Activity
- ESXI Timestomping using Touch Command
- Potential Disabling of SELinux