Detect Bash History in CrowdStrike LogScale
Adversaries may search the command-line history on compromised systems for insecurely stored credentials. On Linux and macOS, shells like Bash and Zsh maintain history files (~/.bash_history, ~/.zsh_history) that capture all commands including those containing passwords passed as arguments. On Windows, PowerShell maintains a persistent history file at %USERPROFILE%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt. Users frequently type credentials as command-line arguments to tools like curl, ssh, mysql, psql, git, and aws CLI, which then persist in shell history. Kinsing malware is a known user of this technique to harvest credentials from containerized environments.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1552 Unsecured Credentials
- Sub-technique
- T1552.003 Shell History
- Canonical reference
- https://attack.mitre.org/techniques/T1552/003/
LogScale Detection Query
(#event_simpleName = ProcessRollup2 OR #event_simpleName = SuspiciousFileRead)
| (CommandLine = /(\.bash_history|\.zsh_history|\.sh_history|\.fish_history|ConsoleHost_history\.txt|PSReadLine|Get-History)/i OR TargetFileName = /(\.bash_history|\.zsh_history|\.sh_history|\.fish_history|\.history|ConsoleHost_history\.txt|PSReadLine)/i)
| ImageFileName != /\/(bash|zsh|sh|fish|sshd)$/i
| ImageFileName != /\\(powershell|pwsh)\.exe$/i
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, ProcessId, ParentBaseFileName])
| sort(timestamp, order=desc)Detects shell history file access and command-line references in CrowdStrike Falcon EDR telemetry using LogScale CQL. Correlates ProcessRollup2 process execution events containing history file paths in their command lines with SuspiciousFileRead sensor events targeting known shell history file names. Excludes legitimate shell binary paths from both ImageFileName and parent process context to suppress noise.
Data Sources
Required Tables
False Positives & Tuning
- The CrowdStrike Falcon sensor itself may generate SuspiciousFileRead telemetry for shell history files as part of its own credential protection and behavioral analysis features
- Shell history management utilities and dotfile synchronization tools (chezmoi, yadm, homesick) that explicitly read and write history files during environment setup or synchronization
- Authorized red team or penetration testing engagements running post-exploitation frameworks that enumerate home directories as part of their sanctioned assessment activity
Other platforms for T1552.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Read bash_history File for Credentials
Expected signal: Linux auditd EXECVE records for cat and grep with .bash_history path. OPEN syscall for .bash_history. Process chain visible in auditd records.
- Test 2Access Another User's bash_history
Expected signal: Linux auditd: SYSCALL with uid of calling user but auid of root for the cat command. OPEN syscall for /root/.bash_history. sudo usage logged in /var/log/auth.log.
- Test 3Read Windows PowerShell History
Expected signal: Sysmon Event ID 1: cmd.exe with 'type' and 'ConsoleHost_history.txt' in command line. Sysmon Event ID 11: file access for ConsoleHost_history.txt.
- Test 4Enumerate All Shell History Files on System
Expected signal: Linux auditd EXECVE for find with .bash_history pattern. Multiple OPEN syscalls for each discovered history file. Process chain showing find then cat.
References (7)
- https://attack.mitre.org/techniques/T1552/003/
- https://linux.die.net/man/1/bash
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
- https://www.aquasec.com/blog/threat-alert-kinsing-malware-container-vulnerability/
- https://docs.microsoft.com/en-us/powershell/module/psreadline/
- https://objective-see.org/blog/blog_0x25.html
Unlock Pro Content
Get the full detection package for T1552.003 including response playbook, investigation guide, and atomic red team tests.