MITRE ATT&CK vulnerability spotlight: Bash history - Security Boulevard

MITRE ATT&CK vulnerability spotlight: Bash history


MITRE is a federally funded research and development center (FFRDC) for the U.S. government. This means that they perform a variety of activities for the U.S. government. In MITRE’s case, this includes research and development in cybersecurity.

One of MITRE’s cybersecurity efforts includes developing and maintaining the MITRE ATT&CK matrix. This tool breaks down the cyberattack life cycle into its component stages and describes different methods by which an attacker can perform each stage. This information is valuable for formalizing cyberdefense and penetration testing efforts and aids in R&D efforts and cybersecurity discussion.

Exploiting bash history

The MITRE ATT&CK matrix is broken up into several different stages, one of which is credential access. In the credential access stage of an attack, a hacker tries to steal user credential information to gain access to accounts or elevate privileges on a system. One way of accomplishing this is by taking advantage of the bash history function on Linux systems. 

The bash history function in the bash shell on Linux is designed to keep a record of a user’s past 500 commands on the system. This is useful for a variety of different purposes since it makes it easier for a user to recall or reuse previously typed commands. Also, it can be used for monitoring usage of a system, and bash versions 4.1 and later allow automated logging of bash history to syslog.

However, recording a user’s command history can also expose sensitive information. A user may enter commands that include their username or password, and this information may be logged to the bash history file. If so, an attacker who has access to a user’s bash history file can search through it to find these credentials.

One way that user credentials can be included in the (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: