Merge pull request SigmaHQ#287 from P4T12ICK/feature/lnx-clear-cmd-hi…

…story-signature Add new signature for linux clear command history
jiluhu · Apr 3, 2019 · 2b81401 · 2b81401
2 parents 13f86e9 + d06a543
commit 2b81401
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/rules/linux/lnx_shell_clear_cmd_history.yml b/rules/linux/lnx_shell_clear_cmd_history.yml
@@ -0,0 +1,27 @@
+title: Clear Command History
+status: experimental
+description: Clear command history in linux which is used for defense evasion. 
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml
+    - https://attack.mitre.org/techniques/T1146/
+author: Patrick Bareiss
+date: 2019/03/24
+logsource:
+    product: linux
+detection:
+    keywords:
+        - 'rm *bash_history'
+        - 'echo "" > *bash_history'
+        - 'cat /dev/null > *bash_history' 
+        - 'ln -sf /dev/null *bash_history'
+        - 'truncate -s0 *bash_history'
+        # - 'unset HISTFILE'  # prone to false positives
+        - 'export HISTFILESIZE=0'
+        - 'history -c'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1146