T1552.003

Description from ATT&CK

Adversaries may search the command history on compromised systems for insecurely stored credentials.

On Linux and macOS systems, shells such as Bash and Zsh keep track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user's history file. For each user, this file resides at the same location: for example, ~/.bash_history or ~/.zsh_history. Typically, these files keeps track of the user's last 1000 commands.

On Windows, PowerShell has both a command history that is wiped after the session ends, and one that contains commands used in all sessions and is persistent. The default location for persistent history can be found in %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt, but command history can also be accessed with Get-History. Command Prompt (CMD) on Windows does not have persistent history.(Citation: Microsoft about_History)(Citation: Medium)

Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials.(Citation: External to DA, the OS X Way)

Atomic Tests

• Atomic Test #1 - Search Through Bash History

• Atomic Test #2 - Search Through sh History

Atomic Test #1 - Search Through Bash History

Search through bash history for specifice commands we want to capture

Supported Platforms: Linux, macOS

auto_generated_guid: 3cfde62b-7c33-4b26-a61e-755d6131c8ce

Inputs:

Attack Commands: Run with sh!

cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}

Atomic Test #2 - Search Through sh History

Search through sh history for specifice commands we want to capture

Supported Platforms: Linux

auto_generated_guid: d87d3b94-05b4-40f2-a80f-99864ffa6803

Inputs:

Attack Commands: Run with sh!

cat #{sh_history_filename} | grep #{sh_history_grep_args} > #{output_file}