ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™Insider Threat Matrix™
  • ID: DT053
  • Created: 09th June 2024
  • Updated: 09th June 2024
  • Platforms: Linux, MacOS,
  • Contributor: The ITM Team

Missing .bash_history File

The .bash_history file, located within a user's directory on MacOS and Linux, is written with command history from shell sessions.

If the file is missing, this could indicate that it has been deleted, if a user account has used a shell utility previously.

Sections

ID Name Description
AF001Hiding or Destroying Command History

A subject clears, hides, or suppresses command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities.

AF001.002Clear Bash History

A subject clears bash terminal command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities.

The Command Prompt on Windows only stores command history within the current session, once Command Prompt is closed, the history is lost.

On Linux-based operating systems different terminal software may store command history in various locations, with the most common being /home/%username%/.bash_history. Using the command history -c will clear the history for the current session, preventing it from being written to .bash_history when the session ends.

On MacOS the Terminal utility will write command history to /Users/%username%/.zsh_history or /Users/%username%/.bash_history based on operating system version.

IF027.002Ransomware Deployment

The subject deploys ransomware within the organization’s environment, resulting in the encryption, locking, or destructive alteration of organizational data, systems, or backups. Ransomware used by insiders may be obtained from public repositories, affiliate programs (e.g. RaaS platforms), or compiled independently using commodity builder kits. Unlike external actors who rely on phishing or remote exploitation, insiders often bypass perimeter controls by detonating ransomware from within trusted systems using local access.

 

Ransomware payloads are typically compiled as executables, occasionally obfuscated using packers or crypters to evade detection. Execution may be initiated via command-line, scheduled task, script wrapper, or automated loader. Encryption routines often target common file extensions recursively across accessible volumes, mapped drives, and cloud sync folders. In advanced deployments, the subject may disable volume shadow copies (vssadmin delete shadows) or stop backup agents (net stop) prior to detonation to increase impact.

 

In some insider scenarios, ransomware is executed selectively: targeting specific departments, shares, or systems, rather than broad detonation. This behavior may indicate intent to send a message, sabotage selectively, or avoid attribution. Payment demands may be issued internally, externally, or omitted entirely if disruption is the primary motive.