Tampering of Bash Command-Line History

calendar Sep 5, 2023 · Domain: Endpoint OS: Linux OS: macOS Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Defend  ·
Share on: linkedin copy

Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/05/04"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic
13investigations.
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Tampering of Bash Command-Line History"
20note = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
23"""
24risk_score = 47
25rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
26severity = "medium"
27tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32process where event.type in ("start", "process_started") and
33 (
34  ((process.args : ("rm", "echo") or
35    (process.args : "ln" and process.args : "-sf" and process.args : "/dev/null") or
36    (process.args : "truncate" and process.args : "-s0"))
37    and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history","/Users/.bash_history", "/Users/*/.bash_history",
38                        ".zsh_history", "/root/.zsh_history", "/home/*/.zsh_history", "/Users/.zsh_history", "/Users/*/.zsh_history")) or
39  (process.name : "history" and process.args : "-c") or
40  (process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or
41  (process.args : "unset" and process.args : "HISTFILE") or
42  (process.args : "set" and process.args : "history" and process.args : "+o")
43 )
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1070"
51name = "Indicator Removal"
52reference = "https://attack.mitre.org/techniques/T1070/"
53[[rule.threat.technique.subtechnique]]
54id = "T1070.003"
55name = "Clear Command History"
56reference = "https://attack.mitre.org/techniques/T1070/003/"
57
58
59
60[rule.threat.tactic]
61id = "TA0005"
62name = "Defense Evasion"
63reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

Related rules

to-top