Suspicious History File Operations
Detects commandline operations on shell history files
Sigma rule (View on GitHub)
1title: Suspicious History File Operations
2id: 508a9374-ad52-4789-b568-fc358def2c65
3status: test
4description: Detects commandline operations on shell history files
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
7author: 'Mikhail Larin, oscd.community'
8date: 2020/10/17
9modified: 2021/11/27
10tags:
11 - attack.credential_access
12 - attack.t1552.003
13logsource:
14 product: macos
15 category: process_creation
16detection:
17 selection:
18 CommandLine|contains:
19 - '.bash_history'
20 - '.zsh_history'
21 - '.zhistory'
22 - '.history'
23 - '.sh_history'
24 - 'fish_history'
25 condition: selection
26falsepositives:
27 - Legitimate administrative activity
28 - Legitimate software, cleaning hist file
29level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Credentials In Files
- Kerberos Network Traffic RC4 Ticket Encryption
- Possible Impacket SecretDump Remote Activity - Zeek
- Password Dumper Activity on LSASS
- Time Travel Debugging Utility Usage