Find sigma rule

Attack: Unsecured Credentials: Bash History

Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the “history” utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)

MITRE

Tactic

credential-access

technique

T1552.003

Test : Search Through sh History

OS

linux

Description:

Search through sh history for specifice commands we want to capture

Executor

Sigma Rule

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test