Linux Shell History Clearing via Environment Variables
Attackers may clear shell history on Linux systems to evade detection by manipulating environment variables related to shell history, such as HISTSIZE and HISTFILE, to prevent command logging.
Attackers on Linux systems may attempt to clear shell history to hide their activities and evade detection. This is achieved by manipulating environment variables that control the shell's history logging behavior. By setting variables like HISTSIZE or HISTFILESIZE to 0, HISTCONTROL to ignorespace, or redirecting HISTFILE to /dev/null, attackers can effectively disable or erase the command history, making it difficult for defenders to track their actions. This technique is often employed after gaining initial access to a system to mask subsequent malicious activities, such as privilege escalation, lateral movement, or data exfiltration. This activity can occur on any compromised Linux host, regardless of the specific distribution or kernel version. Detecting this behavior is crucial for identifying potentially compromised systems and uncovering attacker activity.
Attack Chain
- Attacker gains initial access to a Linux system, potentially through SSH or other remote access methods.
- Attacker identifies the current shell and its configuration.
- Attacker sets
HISTSIZEorHISTFILESIZEenvironment variables to0to prevent new history entries from being saved. - Attacker sets
HISTCONTROLtoignorespaceto prevent commands starting with a space from being saved. - Attacker redirects the
HISTFILEenvironment variable to/dev/nullto discard the history file. - Attacker executes commands related to enumeration, privilege escalation, or lateral movement.
- The executed commands are not recorded in the shell history due to the manipulated environment variables.
- Attacker attempts to remove traces of their presence and maintain stealth by avoiding logging their activities.
Impact
Successful clearing of shell history hinders forensic investigations and incident response efforts. By removing command history, attackers make it difficult to reconstruct their actions on the compromised system. This can lead to delayed detection, prolonged dwell time, and increased damage. The number of victims can vary depending on the scope of the attack, but any Linux system where an attacker gains shell access and clears the history is potentially affected. Sectors targeted may include any organization relying on Linux servers for critical infrastructure or data storage.
Recommendation
- Enable Elastic Defend and configure the
linux.advanced.capture_env_varssetting to captureHISTSIZE,HISTFILESIZE,HISTCONTROL, andHISTFILEto enable the detection rule to function properly. - Deploy the Sigma rule "Linux Shell History Clearing via Environment Variables" to your SIEM to detect this behavior, and tune it according to your environment.
- Investigate any alerts generated by the detection rule "Linux Shell History Clearing via Environment Variables" to determine the scope and impact of the potential compromise.
- Monitor for suspicious processes that modify shell environment variables related to history, using the provided Sigma rules as a starting point.
Detection coverage 2
Linux Shell History Clearing via HISTSIZE
highDetects the clearing of shell history by setting HISTSIZE to 0.
Linux Shell History Clearing via HISTFILE Null Redirect
highDetects the clearing of shell history by redirecting HISTFILE to /dev/null.
Detection queries are available on the platform. Get full rules →