T1552.003
Unsecured Credentials Bash History
Description from ATT&CK
Adversaries may search the command history on compromised systems for insecurely stored credentials.
On Linux and macOS systems, shells such as Bash and Zsh keep track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user's history file. For each user, this file resides at the same location: for example, ~/.bash_history or ~/.zsh_history. Typically, these files keeps track of the user's last 1000 commands.
On Windows, PowerShell has both a command history that is wiped after the session ends, and one that contains commands used in all sessions and is persistent. The default location for persistent history can be found in %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt, but command history can also be accessed with Get-History. Command Prompt (CMD) on Windows does not have persistent history.(Citation: Microsoft about_History)(Citation: Medium)
Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials.(Citation: External to DA, the OS X Way)
Tests
Test #1 - Search for passwords in history files
This test searches for passwords in the bash history file.
Input Arguments:
| Argument | Type | Default Value |
|---|---|---|
| filename | str | .zsh_history |
| searchTerm | str | password |
set homeDir to (path to home folder as text)
set historyPath to homeDir & ".zsh_history"
try
set fileContent to read file historyPath
set lineList to paragraphs of fileContent
set matchCount to 0
set matchList to {}
repeat with currentLine in lineList
set lineText to currentLine as string
if lineText starts with ": " and lineText contains ";" then
set semicolonPos to offset of ";" in lineText
if semicolonPos > 0 then
set lineText to text (semicolonPos + 1) thru -1 of lineText
end if
end if
if lineText contains "password" then
set matchCount to matchCount + 1
if matchCount ≤ 10 then
set end of matchList to lineText
end if
end if
end repeat
return "Found " & matchCount & " matches:" & return & (matchList as string)
on error errMsg
return "Error: " & errMsg
end tryDownload Files
Download .scpt Download .swift Download Binary Download Application Bundle