History File Deletion
Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
Sigma rule (View on GitHub)
1title: History File Deletion
2id: 1182f3b3-e716-4efa-99ab-d2685d04360f
3status: test
4description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
5references:
6 - https://github.com/sleventyeleven/linuxprivchecker/
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
8author: Florian Roth (Nextron Systems)
9date: 2022-06-20
10modified: 2022-09-15
11tags:
12 - attack.impact
13 - attack.t1565.001
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection:
19 Image|endswith:
20 - '/rm'
21 - '/unlink'
22 - '/shred'
23 selection_history:
24 - CommandLine|contains:
25 - '/.bash_history'
26 - '/.zsh_history'
27 - CommandLine|endswith:
28 - '_history'
29 - '.history'
30 - 'zhistory'
31 condition: all of selection*
32falsepositives:
33 - Legitimate administration activities
34level: high
References
-
linuxprivchecker.py -- a Linux Privilege Escalation Check Script - sleventyeleven/linuxprivchecker
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Azure DNS Zone Modified or Deleted
- Azure Device or Configuration Modified or Deleted
- Cisco Denial of Service
- Commands to Clear or Remove the Syslog - Builtin
- Potential Suspicious Change To Sensitive/Critical Files