DET0385 Detect Access and Parsing of .bash_history Files for Credential Harvesting

Item	Value
ID	DET0385
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1552.003 (Shell History)

Analytics

Linux

AN1085

A process outside of interactive shell context reads ~/.bash_history directly (e.g., using cat, less, grep), often shortly after privilege escalation or user switch (su/sudo). This may be followed by credential scanning in memory or file writes to new locations.

Log Sources

Data Component	Name	Channel
File Access (DC0055)	auditd:SYSCALL	open/read access to ~/.bash_history
Process Creation (DC0032)	auditd:EXECVE	cat
File Creation (DC0039)	auditd:SYSCALL	write or create file after .bash_history access

Mutable Elements

Field	Description
UserContext	Filter by users with elevated privileges or service accounts
TimeWindow	Correlate access to .bash_history within X seconds of user switch or privilege escalation
ProcessNamePatterns	Add/remove CLI utilities used to read bash history

macOS

AN1086

A process or terminal command outside of standard shell utilities reads the user’s .bash_history file. On macOS, unified logs or telemetry tools like EndpointSecurity (ESF) may observe file read APIs or terminal process lineage that shows non-user-initiated access.

Log Sources

Data Component	Name	Channel
File Access (DC0055)	macos:endpointsecurity	open or read syscall to ~/.bash_history
Process Metadata (DC0034)	macos:unifiedlog	non-shell process tree accessing bash history

Mutable Elements

Field	Description
ParentProcessCheck	Scope access to .bash_history only if parent is not Terminal.app or bash/zsh
AccessFrequency	Raise priority if .bash_history is accessed multiple times in short window