Unsecured Credentials: Bash History

Adversaries may search the bash command history on compromised systems for insecurely stored machine identities and credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type their usernames, keys and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential machine identities and credentials. [1]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Monitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like cat ~/.bash_history.

References

Attachments

ID
VT0017.003
Sub-techniques
Tactic
Credential Access
Platforms
Linux
macOS
Permissions Required
User
Data Sources
File monitoring
Process command-line parameters
Process monitoring
Version
1.0

Created: 27 December 2020

Last Modified: 27 December 2020