Bash History

Information

• Name: Bash History

• ID: T1552.003

• Tactics: TA0006

• Technique: T1552

Introduction

Bash History (T1552.003) is a sub-technique of the MITRE ATT&CK framework under the Credential Access tactic, specifically categorized within the Unsecured Credentials technique. Attackers leverage this sub-technique by accessing and analyzing Bash history files (~/.bash_history) to discover sensitive credentials, commands, or configuration details stored inadvertently or carelessly by users. Bash history files typically record commands executed by users in Unix-like systems, making them an attractive target for attackers seeking to escalate privileges, move laterally, or gain access to sensitive resources.

Deep Dive Into Technique

The Bash shell, commonly used in Unix and Linux environments, stores executed commands in a history file (~/.bash_history) by default. Attackers who gain initial access to a system or user account may attempt to read this file to uncover credentials, sensitive command-line arguments, or other useful operational intelligence. Technical specifics include:

• Default Location: User's home directory (~/.bash_history).

• File Permissions: Typically readable and writable by the user (600 permissions), but attackers who compromise user accounts can easily access it.

• Content Stored: Commands executed in the Bash shell, including:

  • Plaintext passwords entered directly into command-line parameters.

  • Authentication tokens, API keys, or other secrets entered via command-line arguments.

  • Sensitive file paths, system configurations, or operational details.

• Common Attack Methods:

  • Directly reading Bash history files after compromising user credentials or exploiting vulnerabilities.

  • Using automated scripts or tools to parse history files for sensitive data.

  • Modifying or clearing history files to hide attacker activity post-exploitation.

• Real-World Procedures:

  • Attackers may use simple commands such as cat ~/.bash_history, less ~/.bash_history, or grep to quickly find sensitive information.

  • Automated enumeration tools and scripts often include Bash history checks as part of reconnaissance activities.

  • Attackers may also manipulate history files (history -c) to remove evidence of their presence.

When this Technique is Usually Used

Attackers commonly leverage Bash history analysis at various stages of the cyber kill chain, particularly during:

• Initial Access and Reconnaissance:

  • Immediately after gaining initial user-level access to discover sensitive credentials or system information.

• Credential Access and Privilege Escalation:

  • Searching for passwords or credentials accidentally entered into command-line parameters.

  • Gathering intelligence on user actions and configurations to escalate privileges.

• Lateral Movement:

  • Identifying credentials or SSH keys used previously by legitimate users to access other systems within the network.

• Post-Exploitation and Persistence:

  • Removing or altering Bash history files (history -c, rm ~/.bash_history) to erase evidence of attacker activities and maintain stealth.

How this Technique is Usually Detected

Detection of Bash history exploitation involves monitoring and analyzing file access, command execution, and user behavior. Common detection methods and strategies include:

• File Integrity Monitoring (FIM):

  • Tools such as OSSEC, Tripwire, or Auditd monitor access and modifications of Bash history files.

• Endpoint Detection and Response (EDR) Tools:

  • Detect suspicious file access patterns or command execution sequences.

  • Alert on commands like cat ~/.bash_history, grep password ~/.bash_history, or unusual file deletions.

• Security Information and Event Management (SIEM) Systems:

  • Correlate logs from audit systems, Bash history, and command-line logging to detect anomalous activity.

• User Behavior Analytics (UBA):

  • Detect unusual user actions, such as sudden clearing of command history or unauthorized access to other users' history files.

• Specific Indicators of Compromise (IoCs):

  • Commands executed to access or parse history files:

    • cat ~/.bash_history

    • grep -i password ~/.bash_history

    • less ~/.bash_history

  • Commands executed to clear or modify history files:

    • history -c

    • rm ~/.bash_history

    • truncate -s 0 ~/.bash_history

  • Unusual access timestamps or file modification timestamps on Bash history files.

Why it is Important to Detect This Technique

Early detection of Bash history exploitation is critical due to the significant impacts it can have on organizations, including:

• Credential Exposure:

  • Attackers may discover plaintext passwords, API keys, SSH keys, or authentication tokens, enabling further compromise.

• Privilege Escalation:

  • Sensitive commands or credentials stored in history files can allow attackers to escalate privileges quickly.

• Lateral Movement:

  • Attackers can leverage discovered credentials or SSH keys to pivot and compromise additional systems within the network.

• Operational Intelligence Leakage:

  • Attackers gain insights into user behavior, system configurations, and operational details, facilitating advanced attacks or persistent access.

• Incident Response Challenges:

  • Attackers clearing or modifying history files complicate forensic investigations and response efforts.

• Compliance and Regulatory Risks:

  • Exposure of sensitive credentials or data through Bash history can lead to compliance violations, regulatory fines, or reputational damage.

Detecting this technique early helps organizations mitigate these risks, contain attacker movements, and improve incident response effectiveness.

Examples

Real-world examples and scenarios involving Bash History exploitation include:

• Credential Theft via Plaintext Passwords:

  • An attacker compromises a user account via phishing or brute force. The attacker checks the user's Bash history (cat ~/.bash_history) and discovers plaintext passwords entered directly into command-line arguments, enabling immediate escalation of privileges or lateral movement.

• SSH Key Discovery for Lateral Movement:

  • After initial compromise, attackers find commands such as ssh user@internalserver -i ~/.ssh/id_rsa in history files. Attackers then extract the SSH private keys and move laterally within the internal network, compromising additional systems.

• Cloud Infrastructure Compromise:

  • Attackers compromise cloud instances or containers and analyze Bash history to find AWS CLI commands containing sensitive access keys or tokens. Attackers subsequently leverage these credentials to access cloud resources, exfiltrate data, or conduct further attacks.

• Stealth and Anti-Forensics:

  • Attackers execute commands such as history -c or rm ~/.bash_history after completing malicious activities to remove evidence and hinder incident response efforts.

• Automated Enumeration Scripts:

  • Tools such as LinPEAS, Linux Smart Enumeration (lse), or custom scripts automatically parse Bash history files during initial reconnaissance phases to rapidly identify sensitive information.

In these scenarios, attackers gain significant advantages by leveraging simple yet effective exploitation of Bash history files, underscoring the importance of proactive detection and prevention measures.