Adversaries may print or redirect history file contents to exfiltrate sensitive information or gather reconnaissance on user activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential reconnaissance efforts and mitigate data exfiltration risks.
Detection Rule
title: Print History File Contents
id: d7821ff1-4527-4e33-9f84-d0d57fa2fb66
status: test
description: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
references:
- https://github.com/sleventyeleven/linuxprivchecker/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: Florian Roth (Nextron Systems)
date: 2022-06-20
modified: 2022-09-15
tags:
- attack.reconnaissance
- attack.t1592.004
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/cat'
- '/head'
- '/tail'
- '/more'
selection_history:
- CommandLine|contains:
- '/.bash_history'
- '/.zsh_history'
- CommandLine|endswith:
- '_history'
- '.history'
- 'zhistory'
condition: all of selection*
falsepositives:
- Legitimate administration activities
level: medium
imProcessCreate
| where (TargetProcessName endswith "/cat" or TargetProcessName endswith "/head" or TargetProcessName endswith "/tail" or TargetProcessName endswith "/more") and ((TargetProcessCommandLine contains "/.bash_history" or TargetProcessCommandLine contains "/.zsh_history") or (TargetProcessCommandLine endswith "_history" or TargetProcessCommandLine endswith ".history" or TargetProcessCommandLine endswith "zhistory"))Scenario: System Administrator Reviewing Bash History for Troubleshooting
Description: An admin is manually reviewing the .bash_history file to investigate unusual command patterns.
Filter/Exclusion: Check for grep or cat commands used with known history files (e.g., .bash_history, .zsh_history) and exclude if the user is a system admin or if the command is part of a known troubleshooting task.
Scenario: Scheduled Job Exporting User Activity Logs
Description: A scheduled job runs to export user command history for audit purposes, using tools like script or tee to log output.
Filter/Exclusion: Exclude commands executed by cron jobs or scheduled tasks, or filter based on the presence of audit-related keywords in the command line.
Scenario: Developer Using history Command for Debugging
Description: A developer is using the history command in a terminal session to debug a script or understand previous commands.
Filter/Exclusion: Exclude commands executed in interactive shells where the user is a developer, or filter based on the presence of debugging-related keywords (e.g., debug, trace).
Scenario: Log Rotation or Archive Process
Description: A log rotation tool (e.g., logrotate) or archive script is processing history files as part of a cleanup or backup task.
Filter/Exclusion: Exclude commands involving log rotation tools or archive utilities (e.g., logrotate, tar, rsync) or filter based on file paths associated with log management.
Scenario: Security Tool or SIEM Agent Collecting Command History
Description: A security tool or SIEM agent is collecting command history for monitoring or correlation purposes.
Filter/Exclusion: Exclude commands initiated by security tools or agents (e.g., `splunk