{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/shell-history/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Linux"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","linux","shell-history"],"_cs_type":"advisory","_cs_vendors":["Linux"],"content_html":"\u003cp\u003eAttackers on Linux systems may attempt to clear shell history to hide their activities and evade detection. This is achieved by manipulating environment variables that control the shell's history logging behavior. By setting variables like \u003ccode\u003eHISTSIZE\u003c/code\u003e or \u003ccode\u003eHISTFILESIZE\u003c/code\u003e to \u003ccode\u003e0\u003c/code\u003e, \u003ccode\u003eHISTCONTROL\u003c/code\u003e to \u003ccode\u003eignorespace\u003c/code\u003e, or redirecting \u003ccode\u003eHISTFILE\u003c/code\u003e to \u003ccode\u003e/dev/null\u003c/code\u003e, attackers can effectively disable or erase the command history, making it difficult for defenders to track their actions. This technique is often employed after gaining initial access to a system to mask subsequent malicious activities, such as privilege escalation, lateral movement, or data exfiltration. This activity can occur on any compromised Linux host, regardless of the specific distribution or kernel version. Detecting this behavior is crucial for identifying potentially compromised systems and uncovering attacker activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a Linux system, potentially through SSH or other remote access methods.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the current shell and its configuration.\u003c/li\u003e\n\u003cli\u003eAttacker sets \u003ccode\u003eHISTSIZE\u003c/code\u003e or \u003ccode\u003eHISTFILESIZE\u003c/code\u003e environment variables to \u003ccode\u003e0\u003c/code\u003e to prevent new history entries from being saved.\u003c/li\u003e\n\u003cli\u003eAttacker sets \u003ccode\u003eHISTCONTROL\u003c/code\u003e to \u003ccode\u003eignorespace\u003c/code\u003e to prevent commands starting with a space from being saved.\u003c/li\u003e\n\u003cli\u003eAttacker redirects the \u003ccode\u003eHISTFILE\u003c/code\u003e environment variable to \u003ccode\u003e/dev/null\u003c/code\u003e to discard the history file.\u003c/li\u003e\n\u003cli\u003eAttacker executes commands related to enumeration, privilege escalation, or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe executed commands are not recorded in the shell history due to the manipulated environment variables.\u003c/li\u003e\n\u003cli\u003eAttacker attempts to remove traces of their presence and maintain stealth by avoiding logging their activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful clearing of shell history hinders forensic investigations and incident response efforts. By removing command history, attackers make it difficult to reconstruct their actions on the compromised system. This can lead to delayed detection, prolonged dwell time, and increased damage. The number of victims can vary depending on the scope of the attack, but any Linux system where an attacker gains shell access and clears the history is potentially affected. Sectors targeted may include any organization relying on Linux servers for critical infrastructure or data storage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Elastic Defend and configure the \u003ccode\u003elinux.advanced.capture_env_vars\u003c/code\u003e setting to capture \u003ccode\u003eHISTSIZE\u003c/code\u003e, \u003ccode\u003eHISTFILESIZE\u003c/code\u003e, \u003ccode\u003eHISTCONTROL\u003c/code\u003e, and \u003ccode\u003eHISTFILE\u003c/code\u003e to enable the detection rule to function properly.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Linux Shell History Clearing via Environment Variables\u0026quot; to your SIEM to detect this behavior, and tune it according to your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the detection rule \u0026quot;Linux Shell History Clearing via Environment Variables\u0026quot; to determine the scope and impact of the potential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious processes that modify shell environment variables related to history, using the provided Sigma rules as a starting point.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-linux-shell-history-clearing/","summary":"Attackers may clear shell history on Linux systems to evade detection by manipulating environment variables related to shell history, such as HISTSIZE and HISTFILE, to prevent command logging.","title":"Linux Shell History Clearing via Environment Variables","url":"https://feed.craftedsignal.io/briefs/2024-01-linux-shell-history-clearing/"}],"language":"en","title":"CraftedSignal Threat Feed - Shell-History","version":"https://jsonfeed.org/version/1.1"}