Detectionmediumtest

Suspicious History File Operations

Detects commandline operations on shell history files

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Mikhail Larin, oscd.communityCreated Sat Oct 17Updated Sat Nov 27508a9374-ad52-4789-b568-fc358def2c65macos

Log Source

macOSProcess Creation

ProductmacOS← raw: macos

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        CommandLine|contains:
            - '.bash_history'
            - '.zsh_history'
            - '.zhistory'
            - '.history'
            - '.sh_history'
            - 'fish_history'
    condition: selection

False Positives

Legitimate administrative activity

Legitimate software, cleaning hist file

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1552.003 · Bash History

Rule Metadata

Rule ID

508a9374-ad52-4789-b568-fc358def2c65

Status

test

Level

medium

Type

Detection

Created

Sat Oct 17

Modified

Sat Nov 27

Author

Mikhail Larin, oscd.community

Path

rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml

Raw Tags

attack.credential-accessattack.t1552.003

View on GitHub