<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Shell-History - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/shell-history/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 14:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/shell-history/feed.xml" rel="self" type="application/rss+xml"/><item><title>Linux Shell History Clearing via Environment Variables</title><link>https://feed.craftedsignal.io/briefs/2024-01-linux-shell-history-clearing/</link><pubDate>Wed, 03 Jan 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-linux-shell-history-clearing/</guid><description>Attackers may clear shell history on Linux systems to evade detection by manipulating environment variables related to shell history, such as HISTSIZE and HISTFILE, to prevent command logging.</description><content:encoded><![CDATA[<p>Attackers on Linux systems may attempt to clear shell history to hide their activities and evade detection. This is achieved by manipulating environment variables that control the shell's history logging behavior. By setting variables like <code>HISTSIZE</code> or <code>HISTFILESIZE</code> to <code>0</code>, <code>HISTCONTROL</code> to <code>ignorespace</code>, or redirecting <code>HISTFILE</code> to <code>/dev/null</code>, attackers can effectively disable or erase the command history, making it difficult for defenders to track their actions. This technique is often employed after gaining initial access to a system to mask subsequent malicious activities, such as privilege escalation, lateral movement, or data exfiltration. This activity can occur on any compromised Linux host, regardless of the specific distribution or kernel version. Detecting this behavior is crucial for identifying potentially compromised systems and uncovering attacker activity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains initial access to a Linux system, potentially through SSH or other remote access methods.</li>
<li>Attacker identifies the current shell and its configuration.</li>
<li>Attacker sets <code>HISTSIZE</code> or <code>HISTFILESIZE</code> environment variables to <code>0</code> to prevent new history entries from being saved.</li>
<li>Attacker sets <code>HISTCONTROL</code> to <code>ignorespace</code> to prevent commands starting with a space from being saved.</li>
<li>Attacker redirects the <code>HISTFILE</code> environment variable to <code>/dev/null</code> to discard the history file.</li>
<li>Attacker executes commands related to enumeration, privilege escalation, or lateral movement.</li>
<li>The executed commands are not recorded in the shell history due to the manipulated environment variables.</li>
<li>Attacker attempts to remove traces of their presence and maintain stealth by avoiding logging their activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful clearing of shell history hinders forensic investigations and incident response efforts. By removing command history, attackers make it difficult to reconstruct their actions on the compromised system. This can lead to delayed detection, prolonged dwell time, and increased damage. The number of victims can vary depending on the scope of the attack, but any Linux system where an attacker gains shell access and clears the history is potentially affected. Sectors targeted may include any organization relying on Linux servers for critical infrastructure or data storage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Elastic Defend and configure the <code>linux.advanced.capture_env_vars</code> setting to capture <code>HISTSIZE</code>, <code>HISTFILESIZE</code>, <code>HISTCONTROL</code>, and <code>HISTFILE</code> to enable the detection rule to function properly.</li>
<li>Deploy the Sigma rule &quot;Linux Shell History Clearing via Environment Variables&quot; to your SIEM to detect this behavior, and tune it according to your environment.</li>
<li>Investigate any alerts generated by the detection rule &quot;Linux Shell History Clearing via Environment Variables&quot; to determine the scope and impact of the potential compromise.</li>
<li>Monitor for suspicious processes that modify shell environment variables related to history, using the provided Sigma rules as a starting point.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>defense-evasion</category><category>linux</category><category>shell-history</category></item></channel></rss>