Tampering of Shell Command-Line History

Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/05/04"
 3integration = ["endpoint", "auditd_manager"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/02/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic
13investigations.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Tampering of Shell Command-Line History"
20risk_score = 47
21rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
22setup = """## Setup
23
24If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
25events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
26Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
27`event.ingested` to @timestamp.
28For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
29"""
30severity = "medium"
31tags = [
32        "Domain: Endpoint",
33        "OS: Linux",
34        "OS: macOS",
35        "Use Case: Threat Detection",
36        "Tactic: Defense Evasion",
37        "Data Source: Elastic Defend",
38        "Data Source: Elastic Endgame",
39        "Data Source: Auditd Manager"
40        ]
41timestamp_override = "event.ingested"
42type = "eql"
43
44query = '''
45process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and
46 (
47  ((process.args : ("rm", "echo") or
48    (process.args : "ln" and process.args : "-sf" and process.args : "/dev/null") or
49    (process.args : "truncate" and process.args : "-s0"))
50    and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history","/Users/.bash_history", "/Users/*/.bash_history",
51                        ".zsh_history", "/root/.zsh_history", "/home/*/.zsh_history", "/Users/.zsh_history", "/Users/*/.zsh_history")) or
52  (process.name : "history" and process.args : "-c") or
53  (process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or
54  (process.args : "unset" and process.args : "HISTFILE") or
55  (process.args : "set" and process.args : "history" and process.args : "+o")
56 )
57'''
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61
62[[rule.threat.technique]]
63id = "T1070"
64name = "Indicator Removal"
65reference = "https://attack.mitre.org/techniques/T1070/"
66
67[[rule.threat.technique.subtechnique]]
68id = "T1070.003"
69name = "Clear Command History"
70reference = "https://attack.mitre.org/techniques/T1070/003/"
71
72[rule.threat.tactic]
73id = "TA0005"
74name = "Defense Evasion"
75reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top