Bash History - T1552.003 (8187bd2a-866f-4457-9009-86b0ddedffa3)
Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) | Attack Pattern | Bash History - T1552.003 (8187bd2a-866f-4457-9009-86b0ddedffa3) | Attack Pattern | 1 |