T1552.003 Bash History Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect shell history file access for credential harvesting
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileRead", "FileAccessed", "FileCreated")
| where (
    // Linux/macOS shell history files
    FileName in~ (".bash_history", ".zsh_history", ".sh_history", ".history",
                  ".fish_history", ".ksh_history", ".csh_history")
    or
    // Windows PowerShell history
    FileName =~ "ConsoleHost_history.txt"
    or
    // Linux history in various locations
    FolderPath has ".bash_history" or FolderPath has ".zsh_history"
    or FolderPath has "PSReadLine"
  )
| where InitiatingProcessFileName !in~ ("bash", "zsh", "sh", "fish", "powershell", "pwsh", "sshd")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FolderPath, FileName,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| union (
    // Detect direct read/cat/type of history files via process command lines
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where ProcessCommandLine has_any (
        ".bash_history", ".zsh_history", ".sh_history",
        "ConsoleHost_history.txt", "PSReadLine", "Get-History"
      )
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
             InitiatingProcessFileName
)
| sort by Timestamp desc

medium severity medium confidence

Data Sources

File: File Access Process: Process Creation Command: Command Execution

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Shell processes (bash, zsh, sh) legitimately reading their own history files at session start/end — this is normal behavior and should be excluded
Backup agents reading home directories including shell history files as part of user data backup
System administration scripts that process or rotate shell history files for compliance or auditing
IDE and terminal applications that integrate with shell history for command completion features
Security tools performing scheduled credential hygiene scans on behalf of users

Splunk

spl

index=linux_audit OR index=wineventlog (sourcetype="linux_audit" OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
(
  sourcetype="linux_audit" type=OPEN
  (name="*.bash_history" OR name="*.zsh_history" OR name="*.sh_history" OR name="*/.history")
  success="yes"
  NOT (comm="bash" OR comm="zsh" OR comm="sh" OR comm="sshd" OR comm="rsync")
| eval FileAccessed=name
| eval ProcessName=comm
| eval AlertType="LinuxHistoryAccess"
| table _time, host, auid, ProcessName, FileAccessed, AlertType
)
OR
(
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (CommandLine="*ConsoleHost_history.txt*" OR CommandLine="*PSReadLine*history*" OR CommandLine="*Get-History*")
  NOT (Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
| eval AlertType="PSHistoryAccess"
| table _time, host, User, Image, CommandLine, AlertType
)
OR
(
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  TargetFilename="*ConsoleHost_history.txt*"
  NOT (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\MicrosoftEdge*")
| eval AlertType="PSHistoryFileAccess"
| table _time, host, User, Image, TargetFilename, AlertType
)
| sort - _time

medium severity medium confidence

Data Sources

File: File Access Process: Process Creation linux_audit (auditd OPEN events) Sysmon Event ID 1, 11

Required Sourcetypes

linux_audit XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Shell processes reading their own history files at session start/end
Backup agents reading home directories including shell history
System administration scripts processing history files
IDE and terminal applications integrating with shell history
Compliance tools auditing shell history for sensitive data exposure

Elastic Security (EQL)

eql

any where
  (
    event.category == "file" and
    (
      file.name in (".bash_history", ".zsh_history", ".sh_history", ".history", ".fish_history", ".ksh_history", ".csh_history") or
      file.path : "*ConsoleHost_history.txt*" or
      file.path : "*PSReadLine*"
    ) and
    not process.name in ("bash", "zsh", "sh", "fish", "powershell", "pwsh", "sshd", "rsync")
  )
  or
  (
    event.category == "process" and
    event.type == "start" and
    (
      process.command_line : "*.bash_history*" or
      process.command_line : "*.zsh_history*" or
      process.command_line : "*ConsoleHost_history.txt*" or
      process.command_line : "*PSReadLine*" or
      process.command_line : "*Get-History*"
    ) and
    not process.name in ("bash", "zsh", "sh", "fish", "powershell", "pwsh")
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Auditbeat (Linux) Winlogbeat with Sysmon Elastic Agent

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-* auditbeat-* winlogbeat-*

False Positives

Backup software (rsync, Veeam agents, Duplicati) scanning home directories as part of scheduled backup jobs will trigger file access events on shell history files
Security and compliance tools such as osquery, AIDE, or Wazuh performing file integrity monitoring or scheduled home directory audits
Terminal multiplexers and IDE plugins (tmux, VS Code Remote SSH, JetBrains Gateway) that access shell history files for session restoration or autocomplete features

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  username AS Username,
  QIDNAME(qid) AS QIDName,
  "Process Name" AS ProcessName,
  "File Path" AS FilePath,
  "Command" AS CommandLine
FROM events
WHERE
  (
    (
      ("File Path" ILIKE '%.bash_history%'
       OR "File Path" ILIKE '%.zsh_history%'
       OR "File Path" ILIKE '%/.history%'
       OR "File Path" ILIKE '%.sh_history%'
       OR "File Path" ILIKE '%ConsoleHost_history.txt%'
       OR "File Path" ILIKE '%PSReadLine%')
      AND NOT ("Process Name" ILIKE 'bash'
               OR "Process Name" ILIKE 'zsh'
               OR "Process Name" ILIKE 'sh'
               OR "Process Name" ILIKE 'sshd'
               OR "Process Name" ILIKE 'powershell.exe'
               OR "Process Name" ILIKE 'pwsh.exe')
    )
    OR
    (
      ("Command" ILIKE '%.bash_history%'
       OR "Command" ILIKE '%.zsh_history%'
       OR "Command" ILIKE '%ConsoleHost_history.txt%'
       OR "Command" ILIKE '%Get-History%'
       OR "Command" ILIKE '%PSReadLine%')
      AND NOT ("Process Name" ILIKE 'bash'
               OR "Process Name" ILIKE 'zsh'
               OR "Process Name" ILIKE 'sh'
               OR "Process Name" ILIKE 'powershell.exe'
               OR "Process Name" ILIKE 'pwsh.exe')
    )
  )
  AND starttime > (NOW() - 86400000)
ORDER BY starttime DESC
LAST 10000

high severity medium confidence

Data Sources

IBM QRadar SIEM Linux OS DSM (auditd) Microsoft Windows Sysmon DSM Windows Security Event Log DSM

Required Tables

events

False Positives

IT asset inventory and SIEM configuration tools reading home directories during scheduled discovery scans may match history file path patterns
Endpoint detection agents (CrowdStrike Falcon, Carbon Black Response) accessing history files as part of their own behavioral telemetry collection routines
System administration automation (Ansible playbooks, Chef recipes, Puppet manifests) that include history file paths in execution templates or verification steps

Sumo Logic CSE

sql

(_sourceCategory="linux/audit" OR _sourceCategory="windows/sysmon")
| where (name matches "*.bash_history" OR name matches "*.zsh_history" OR name matches "*/.history" OR name matches "*.sh_history"
  OR TargetFilename matches "*ConsoleHost_history.txt*" OR TargetFilename matches "*PSReadLine*"
  OR CommandLine matches "*.bash_history*" OR CommandLine matches "*.zsh_history*"
  OR CommandLine matches "*ConsoleHost_history.txt*" OR CommandLine matches "*Get-History*" OR CommandLine matches "*PSReadLine*")
| where !(comm = "bash" OR comm = "zsh" OR comm = "sh" OR comm = "sshd"
  OR Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe")
| if (!isNull(name) AND name != "", name, if(!isNull(TargetFilename) AND TargetFilename != "", TargetFilename, "N/A")) as HistoryFile
| if (!isNull(comm) AND comm != "", comm, if(!isNull(Image) AND Image != "", Image, "unknown")) as ProcessName
| fields _messageTime, _sourceHost, auid, ProcessName, HistoryFile, CommandLine, User
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic SIEM Linux Auditd via Sumo Logic Collector Windows Sysmon (Event ID 1, 11) Sumo Logic Cloud SIEM Enterprise (CSE)

Required Tables

_sourceCategory=linux/audit _sourceCategory=windows/sysmon

False Positives

Compliance scanning tools (Lynis, OpenSCAP, CIS-CAT) that audit shell history file existence and permissions as part of CIS benchmark hardening checks
Developer shell history search utilities (hstr, mcfly, fzf with shell integration) that access history files during interactive terminal sessions generating process events
Container management platforms executing backup or migration operations that include home directory contents from within containerized Linux environments

Google Chronicle / SecOps

yaral

rule t1552_003_bash_history_credential_access {
  meta:
    author = "Detection Engineering"
    description = "Detects shell history file access for credential harvesting - T1552.003"
    severity = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1552.003"
    reference = "https://attack.mitre.org/techniques/T1552/003/"

  events:
    (
      $e.metadata.event_type = "FILE_OPEN" or
      $e.metadata.event_type = "FILE_READ" or
      $e.metadata.event_type = "FILE_CREATION"
    )
    (
      re.regex($e.target.file.full_path, `\.bash_history$`) or
      re.regex($e.target.file.full_path, `\.zsh_history$`) or
      re.regex($e.target.file.full_path, `\.sh_history$`) or
      re.regex($e.target.file.full_path, `\.fish_history$`) or
      re.regex($e.target.file.full_path, `/\.history$`) or
      re.regex($e.target.file.full_path, `ConsoleHost_history\.txt`) or
      re.regex($e.target.file.full_path, `PSReadLine`)
    )
    not re.regex($e.principal.process.file.full_path, `/(bash|zsh|sh|fish|sshd)$`) nocase
    not re.regex($e.principal.process.file.full_path, `(powershell|pwsh)\.exe$`) nocase

    $hostname = $e.principal.hostname

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle UDM (Unified Data Model) CrowdStrike Falcon via Chronicle ingestion Linux Auditd via Chronicle Forwarder Windows Sysmon via Chronicle Forwarder

Required Tables

UDM Events (FILE_OPEN, FILE_READ, FILE_CREATION)

False Positives

Automated configuration management tools (Ansible, SaltStack, Puppet) that read home directory dotfiles including shell history to verify or apply configuration state
Authorized administrators explicitly searching .bash_history for troubleshooting or internal forensic investigation purposes from privileged workstations
Cloud VM backup solutions that include home directory contents in their backup scope, triggering FILE_READ events on shell history files during scheduled backup windows

CrowdStrike LogScale (CQL)

cql

(#event_simpleName = ProcessRollup2 OR #event_simpleName = SuspiciousFileRead)
| (CommandLine = /(\.bash_history|\.zsh_history|\.sh_history|\.fish_history|ConsoleHost_history\.txt|PSReadLine|Get-History)/i OR TargetFileName = /(\.bash_history|\.zsh_history|\.sh_history|\.fish_history|\.history|ConsoleHost_history\.txt|PSReadLine)/i)
| ImageFileName != /\/(bash|zsh|sh|fish|sshd)$/i
| ImageFileName != /\\(powershell|pwsh)\.exe$/i
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, ProcessId, ParentBaseFileName])
| sort(timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale (Humio) Falcon Data Replicator (FDR)

Required Tables

ProcessRollup2 SuspiciousFileRead

False Positives

The CrowdStrike Falcon sensor itself may generate SuspiciousFileRead telemetry for shell history files as part of its own credential protection and behavioral analysis features
Shell history management utilities and dotfile synchronization tools (chezmoi, yadm, homesick) that explicitly read and write history files during environment setup or synchronization
Authorized red team or penetration testing engagements running post-exploitation frameworks that enumerate home directories as part of their sanctioned assessment activity

Bash History

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections