MITRE ATT&CK - Техника Повреждение журнала истории команд

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

Impair Defenses: Повреждение журнала истории команд

Other sub-techniques of Impair Defenses (9)

ID	Название
.001	Отключение или перенастройка средств защиты
.002	Отключение журналирования событий Windows
.003	Повреждение журнала истории команд
.004	Отключение или перенастройка системного межсетевого экрана
.006	Блокировка сбора признаков активности
.007	Отключение или перенастройка облачного межсетевого экрана
.008	Отключение облачного журналирования
.009	Загрузка в безопасном режиме
.010	Атака через понижение версии

Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands. On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics) Adversaries may also leverage a Network Device CLI on network devices to disable historical command logging (e.g. no logging).

ID: T1562.003

Относится к технике: T1562

Тактика(-и): Defense Evasion

Платформы: Linux, macOS, Network, Windows

Источники данных: Command: Command Execution, Sensor Health: Host Status

Версия: 2.2

Дата создания: 21 Feb 2020

Последнее изменение: 01 Sep 2022

Название	Описание
Примеры процедур
APT38	APT38 has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCONTROL environment.(Citation: CISA AA20-239A BeagleBoyz August 2020)
SILENTTRINITY	SILENTTRINITY can bypass ScriptBlock logging to execute unmanaged PowerShell code from memory.(Citation: GitHub SILENTTRINITY Modules July 2019)

Контрмера	Описание
Контрмеры
Operating System Configuration	Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
Environment Variable Permissions	Prevent modification of environment variables by unauthorized users and groups.

Обнаружение

Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL, HISTFILE, or HISTFILESIZE environment variables may be suspicious. Monitor for modification of PowerShell command history settings through processes being created with -HistorySaveStyle SaveNothing command-line arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. Further, Network Device CLI commands may also be used to clear or disable historical log data with built-in features native to the network device platform. Monitor such command activity for unexpected or unauthorized use of commands being run by non-standard users from non-standard locations.

Ссылки

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.