ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT088
  • Created: 25th July 2024
  • Updated: 25th July 2024
  • Platforms: Linux, MacOS
  • Contributor: Ismael Briones-Vilar

Bash History

Bash history refers to the commands, files, and shortcuts that record the commands run in a Bash shell. Bash history can be viewed in a Bash shell with the history command.

 

By default, history stores commands in RAM until the user logs out of the terminal, then writes them to ~/.bash_history. The history buffer is limited to 1,000 command entries, and the history file to 2,000 entries.

 

It is trivial for the ~/.bash_history file to be modified with a text editor, where entries can be deleted or falsified.

Sections

ID Name Description
PR020.001Renaming Files or Changing File Extensions

A subject may rename a file to obscure the content of the file or change the file extension to hide the file type. This can aid in avoiding suspicion and bypassing certain security filers and endpoint monitoring tools. For example, renaming a sensitive document from FinancialReport.docx to Recipes.txt before copying it to a USB mass storage device.