Chris Walker · @Exeron
4 followers · 6 posts · Server infosec.exchangeDisabling of bash history through setting the file size and redirecting the output to /dev/null. Standard deletion using "history -c".
https://github.com/exeronn/Linux-Detection/blob/main/Sigma/Defense%20Evasion/bash_history_delete.yml
Wes Lambert · @weslambert
384 followers · 51 posts · Server infosec.exchange
🦖Day 88 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange.Linux.System.BashLogout
Link: https://docs.velociraptor.app/exchange/artifacts/pages/linux.system.bashlogout
----
This artifact captures information from about Bash logout files for examination of abnormal activity.
Bash logout files are used to run certain commands upon user logout, such as clearing the shell or terminal state.
----
An adversary could leverage this capability to cover their tracks by clearing logs, deleting files, etc.
Once example of this is running the following command at logout to clear the user's Bash history:
'history -c'
'cat /dev/null > ~/.bash_history'
https://attack.mitre.org/techniques/T1070/003/
----
This artifact also includes a content filter ('ContentFilter') to allow for searching for various content within the file.
Additionally, in-scope Bash logout files can be uploaded to the Velociraptor server by checking the box for the 'UploadFiles' option.
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
#velociraptor #artifactsofautumn #dfir #forensics #infosec #linux #t1070 #threathunting