Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1552.003 | Bash History |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1552.003 | Bash History |
Comments
TThis diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1552.003 | Bash History |
Comments
This diagnostic statement provides protection from Unsecured Credentials: Bash History through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1552.003 | Bash History | |
| SC-28 | Protection of Information at Rest | mitigates | T1552.003 | Bash History | |
| CM-07 | Least Functionality | mitigates | T1552.003 | Bash History | |
| SI-04 | System Monitoring | mitigates | T1552.003 | Bash History |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1552.003 | Bash History | |
| attribute.confidentiality.data_disclosure | None | related-to | T1552.003 | Bash History |