Tampering of Shell Command-Line History
Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/05/04"
3integration = ["endpoint", "auditd_manager"]
4maturity = "production"
5updated_date = "2024/09/23"
6
7[rule]
8author = ["Elastic"]
9description = """
10Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic
11investigations.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Tampering of Shell Command-Line History"
18references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"]
19risk_score = 47
20rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
21setup = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
24events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
25Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
26`event.ingested` to @timestamp.
27For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
28"""
29severity = "medium"
30tags = [
31 "Domain: Endpoint",
32 "OS: Linux",
33 "OS: macOS",
34 "Use Case: Threat Detection",
35 "Tactic: Defense Evasion",
36 "Data Source: Elastic Defend",
37 "Data Source: Elastic Endgame",
38 "Data Source: Auditd Manager",
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and
45 (
46 ((process.args : ("rm", "echo") or
47 (process.args : "ln" and process.args : "-sf" and process.args : "/dev/null") or
48 (process.args : "truncate" and process.args : "-s0"))
49 and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history","/Users/.bash_history", "/Users/*/.bash_history",
50 ".zsh_history", "/root/.zsh_history", "/home/*/.zsh_history", "/Users/.zsh_history", "/Users/*/.zsh_history")) or
51 (process.args : "history" and process.args : "-c") or
52 (process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or
53 (process.args : "unset" and process.args : "HISTFILE") or
54 (process.args : "set" and process.args : "history" and process.args : "+o")
55 )
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1070"
63name = "Indicator Removal"
64reference = "https://attack.mitre.org/techniques/T1070/"
65[[rule.threat.technique.subtechnique]]
66id = "T1070.003"
67name = "Clear Command History"
68reference = "https://attack.mitre.org/techniques/T1070/003/"
69
70
71
72[rule.threat.tactic]
73id = "TA0005"
74name = "Defense Evasion"
75reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
This blog post provides a summary of CVE-2021-44228 and provides Elastic Security users with detections to find active exploitation of the vulnerability in their environment. Further updates will be provided to this post as we learn more.
Read More
Related rules
- Potential Disabling of AppArmor
- Attempt to Clear Kernel Ring Buffer
- Base16 or Base32 Encoding/Decoding Activity
- ESXI Timestomping using Touch Command
- Potential Disabling of SELinux