T1552.003 - Unsecured Credentials: Bash History

Description from ATT&CK

Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)

Atomic Tests


Atomic Test #1 - Search Through Bash History

Search through bash history for specifice commands we want to capture

Supported Platforms: Linux, macOS

auto_generated_guid: 3cfde62b-7c33-4b26-a61e-755d6131c8ce

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | Path where captured results will be placed | path | ~/loot.txt| | bash_history_grep_args | grep arguments that filter out specific commands we want to capture | path | -e ‘-p ‘ -e ‘pass’ -e ‘ssh’| | bash_history_filename | Path of the bash history file to capture | path | ~/.bash_history|

Attack Commands: Run with
1
sh
!

1
cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}



Atomic Test #2 - Search Through sh History

Search through sh history for specifice commands we want to capture

Supported Platforms: Linux

auto_generated_guid: d87d3b94-05b4-40f2-a80f-99864ffa6803

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | Path where captured results will be placed | path | ~/loot.txt| | sh_history_grep_args | grep arguments that filter out specific commands we want to capture | path | -e ‘-p ‘ -e ‘pass’ -e ‘ssh’| | sh_history_filename | Path of the sh history file to capture | path | ~/.history|

Attack Commands: Run with
1
sh
!

1
cat #{sh_history_filename} | grep #{sh_history_grep_args} > #{output_file}