Tampering of Shell Command-Line History

calendar Jul 5, 2024 · Domain: Endpoint OS: Linux OS: macOS Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Defend Data Source: Elastic Endgame Data Source: Auditd Manager  ·
Share on: linkedin copy

Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/05/04"
 3integration = ["endpoint", "auditd_manager"]
 4maturity = "production"
 5updated_date = "2024/07/05"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic
11investigations.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Tampering of Shell Command-Line History"
18risk_score = 47
19rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
20setup = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
23events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
24Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
25`event.ingested` to @timestamp.
26For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
27"""
28severity = "medium"
29tags = [
30    "Domain: Endpoint",
31    "OS: Linux",
32    "OS: macOS",
33    "Use Case: Threat Detection",
34    "Tactic: Defense Evasion",
35    "Data Source: Elastic Defend",
36    "Data Source: Elastic Endgame",
37    "Data Source: Auditd Manager",
38]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and
44 (
45  ((process.args : ("rm", "echo") or
46    (process.args : "ln" and process.args : "-sf" and process.args : "/dev/null") or
47    (process.args : "truncate" and process.args : "-s0"))
48    and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history","/Users/.bash_history", "/Users/*/.bash_history",
49                        ".zsh_history", "/root/.zsh_history", "/home/*/.zsh_history", "/Users/.zsh_history", "/Users/*/.zsh_history")) or
50  (process.args : "history" and process.args : "-c") or
51  (process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or
52  (process.args : "unset" and process.args : "HISTFILE") or
53  (process.args : "set" and process.args : "history" and process.args : "+o")
54 )
55'''
56
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1070"
62name = "Indicator Removal"
63reference = "https://attack.mitre.org/techniques/T1070/"
64[[rule.threat.technique.subtechnique]]
65id = "T1070.003"
66name = "Clear Command History"
67reference = "https://attack.mitre.org/techniques/T1070/003/"
68
69
70
71[rule.threat.tactic]
72id = "TA0005"
73name = "Defense Evasion"
74reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top