Shell command history modified

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1070-indicator-removal

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect the tampering of shell command history on a host or container.

Strategy

Commands used within a terminal are contained within a local file so users can review applications, scripts, or processes that were previously executed. Adversaries tamper with the integrity of the shell command history by deletion, truncation, or the linking of /dev/null by use of a symlink. This allows adversaries to obfuscate their actions and delay the incident response process.

Triage and response

  1. Review the tampering action taken against the shell command history files.
  2. Review the user or process that performed the action against the shell command history.
  3. Determine whether or not this is expected behavior.
  4. If this activity is not expected, contain the host or container, and roll back to a known good configuration.

Requires Agent version 7.27 or greater