Detectionmediumtest

Suspicious History File Operations - Linux

Detects commandline operations on shell history files

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Mikhail Larin, oscd.communityCreated Sat Oct 17Updated Mon Nov 28eae8ce9f-bde9-47a6-8e79-f20d18419910linux

Log Source

Linuxauditd

ProductLinux← raw: linux

Serviceauditd← raw: auditd

Detection Logic

detection:
    execve:
        type: EXECVE
    history:
        - '.bash_history'
        - '.zsh_history'
        - '.zhistory'
        - '.history'
        - '.sh_history'
        - 'fish_history'
    condition: execve and history

False Positives

Legitimate administrative activity

Legitimate software, cleaning hist file

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1552.003 · Bash History

Rule Metadata

Rule ID

eae8ce9f-bde9-47a6-8e79-f20d18419910

Status

test

Level

medium

Type

Detection

Created

Sat Oct 17

Modified

Mon Nov 28

Author

Mikhail Larin, oscd.community

Path

rules/linux/auditd/execve/lnx_auditd_susp_histfile_operations.yml

Raw Tags

attack.credential-accessattack.t1552.003

View on GitHub