Shell command history modified

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1070-indicator-removal

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect the tampering of shell command history on a host or container.

Strategy

Commands used within a terminal are contained within a local file so users can review applications, scripts, or processes that were previously executed. Adversaries tamper with the integrity of the shell command history by deletion, truncation, or the linking of /dev/null by use of a symlink. This allows adversaries to obfuscate their actions and delay the incident response process.

Triage and response

  1. Review the tampering action taken against the shell command history files.
  2. Review the user or process that performed the action against the shell command history.
  3. Determine whether or not this is expected behavior.
  4. If this activity is not expected, contain the host or container, and roll back to a known good configuration.

Requires Agent version 7.27 or greater