Print History File Contents

 1title: Print History File Contents
 2id: d7821ff1-4527-4e33-9f84-d0d57fa2fb66
 3status: test
 4description: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
 5references:
 6    - https://github.com/sleventyeleven/linuxprivchecker/
 7    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
 8author: Florian Roth (Nextron Systems)
 9date: 2022-06-20
10modified: 2022-09-15
11tags:
12    - attack.reconnaissance
13    - attack.t1592.004
14logsource:
15    category: process_creation
16    product: linux
17detection:
18    selection:
19        Image|endswith:
20            - '/cat'
21            - '/head'
22            - '/tail'
23            - '/more'
24    selection_history:
25        - CommandLine|contains:
26              - '/.bash_history'
27              - '/.zsh_history'
28        - CommandLine|endswith:
29              - '_history'
30              - '.history'
31              - 'zhistory'
32    condition: all of selection*
33falsepositives:
34    - Legitimate administration activities
35level: medium

References

• GitHub - sleventyeleven/linuxprivchecker: linuxprivchecker.py -- a Linux Privilege Escalation Check Script

  

  linuxprivchecker.py -- a Linux Privilege Escalation Check Script - sleventyeleven/linuxprivchecker

  
  Read More

• atomic-red-team/atomics/T1552.003/T1552.003.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

Related rules

• Cat Sudoers
• Linux Recon Indicators
• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript
• Azure AD Account Credential Leaked