Esc
Bash History - T1552.003
(ATT&CK® Technique)
Definition
Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1552003["Bash History"] --> |accesses| CommandHistoryLogFile["Command History Log File"]; class T1552003 OffensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode; click CommandHistoryLogFile href "/dao/artifact/d3f:CommandHistoryLogFile";
click T1552003 href "/offensive-technique/attack/T1552.003/"; click CommandHistoryLogFile href "/dao/artifact/d3f:CommandHistoryLogFile"; T1552003["Bash History"] --> |accesses| Credential["Credential"]; class T1552003 OffensiveTechniqueNode;
class Credential ArtifactNode; click Credential href "/dao/artifact/d3f:Credential";
click T1552003 href "/offensive-technique/attack/T1552.003/"; click Credential href "/dao/artifact/d3f:Credential"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | CommandHistoryLogFile["Command History Log File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1552003["Bash History"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | CommandHistoryLogFile["Command History Log File"];
FileEviction["File Eviction"] -.->
| may-evict | T1552003["Bash History"] ;
class FileEviction DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | Credential["Credential"];
CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
| may-detect | T1552003["Bash History"] ;
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | Credential["Credential"];
AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
| may-evict | T1552003["Bash History"] ;
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class Credential ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialRevocation["Credential Revocation"] -->
| deletes | Credential["Credential"];
CredentialRevocation["Credential Revocation"] -.->
| may-evict | T1552003["Bash History"] ;
class CredentialRevocation DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; DecoyFile["Decoy File"] -->
| spoofs | CommandHistoryLogFile["Command History Log File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1552003["Bash History"] ;
class DecoyFile DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | Credential["Credential"];
DecoyUserCredential["Decoy User Credential"] -.->
| may-deceive | T1552003["Bash History"] ;
class DecoyUserCredential DefensiveTechniqueNode;
class Credential ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; FileEncryption["File Encryption"] -->
| encrypts | CommandHistoryLogFile["Command History Log File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1552003["Bash History"] ;
class FileEncryption DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; CredentialRotation["Credential Rotation"] -->
| regenerates | Credential["Credential"];
CredentialRotation["Credential Rotation"] -.->
| may-harden | T1552003["Bash History"] ;
class CredentialRotation DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation"; FileAnalysis["File Analysis"] -->
| analyzes | CommandHistoryLogFile["Command History Log File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1552003["Bash History"] ;
class FileAnalysis DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RestoreFile["Restore File"] -->
| restores | CommandHistoryLogFile["Command History Log File"];
RestoreFile["Restore File"] -.->
| may-restore | T1552003["Bash History"] ;
class RestoreFile DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; ReissueCredential["Reissue Credential"] -->
| restores | Credential["Credential"];
ReissueCredential["Reissue Credential"] -.->
| may-restore | T1552003["Bash History"] ;
class ReissueCredential DefensiveTechniqueNode;
class Credential ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | Credential["Credential"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| may-harden | T1552003["Bash History"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class Credential ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | Credential["Credential"];
CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
| may-isolate | T1552003["Bash History"] ;
class CredentialTransmissionScoping DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; CredentialHardening["Credential Hardening"] -->
| hardens | Credential["Credential"];
CredentialHardening["Credential Hardening"] -.->
| may-harden | T1552003["Bash History"] ;
class CredentialHardening DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialHardening href "/technique/d3f:CredentialHardening"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | CommandHistoryLogFile["Command History Log File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1552003["Bash History"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; LocalFilePermissions["Local File Permissions"] -->
| restricts | CommandHistoryLogFile["Command History Log File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1552003["Bash History"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class CommandHistoryLogFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";