Skip to content

T1552.003 Bash History

Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the “history” utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials. 1

Item Value
ID T1552.003
Sub-techniques T1552.001, T1552.002, T1552.003, T1552.004, T1552.005, T1552.006, T1552.007, T1552.008
Tactics TA0006
Platforms Linux, macOS
Permissions required User
Version 1.1
Created 04 February 2020
Last Modified 08 March 2022

Procedure Examples

ID Name Description
S0599 Kinsing Kinsing has searched bash_history for credentials.2

Mitigations

ID Mitigation Description
M1028 Operating System Configuration There are multiple methods of preventing a user’s command history from being flushed to their .bash_history file, including use of the following commands:
set +o history and set -o history to start logging again;
unset HISTFILE being added to a user’s .bash_rc file; and
ln -s /dev/null ~/.bash_history to write commands to /dev/nullinstead.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access

References