T1552.003 Bash History Mappings

Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-6 Configuration Settings Protects T1552.003 Bash History
CM-7 Least Functionality Protects T1552.003 Bash History
SC-28 Protection of Information at Rest Protects T1552.003 Bash History
SI-4 System Monitoring Protects T1552.003 Bash History
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1552.003 Unsecured Credentials: Bash History