T1552.003SubTechniquecredential-accessagent-callable

T1552.003Bash History

Sub-technique of T1552

Platforms: Linux · macOS

ATT&CK version: 14.1

What it is

Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)

ATT&CK tactics· 1

Credential Access

References

  1. https://attack.mitre.org/techniques/T1552/003
  2. http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.