T1552.003 IBM QRadar · QRadar

Detect Bash History in IBM QRadar

Adversaries may search the command-line history on compromised systems for insecurely stored credentials. On Linux and macOS, shells like Bash and Zsh maintain history files (~/.bash_history, ~/.zsh_history) that capture all commands including those containing passwords passed as arguments. On Windows, PowerShell maintains a persistent history file at %USERPROFILE%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt. Users frequently type credentials as command-line arguments to tools like curl, ssh, mysql, psql, git, and aws CLI, which then persist in shell history. Kinsing malware is a known user of this technique to harvest credentials from containerized environments.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Sub-technique
T1552.003 Shell History
Canonical reference
https://attack.mitre.org/techniques/T1552/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  username AS Username,
  QIDNAME(qid) AS QIDName,
  "Process Name" AS ProcessName,
  "File Path" AS FilePath,
  "Command" AS CommandLine
FROM events
WHERE
  (
    (
      ("File Path" ILIKE '%.bash_history%'
       OR "File Path" ILIKE '%.zsh_history%'
       OR "File Path" ILIKE '%/.history%'
       OR "File Path" ILIKE '%.sh_history%'
       OR "File Path" ILIKE '%ConsoleHost_history.txt%'
       OR "File Path" ILIKE '%PSReadLine%')
      AND NOT ("Process Name" ILIKE 'bash'
               OR "Process Name" ILIKE 'zsh'
               OR "Process Name" ILIKE 'sh'
               OR "Process Name" ILIKE 'sshd'
               OR "Process Name" ILIKE 'powershell.exe'
               OR "Process Name" ILIKE 'pwsh.exe')
    )
    OR
    (
      ("Command" ILIKE '%.bash_history%'
       OR "Command" ILIKE '%.zsh_history%'
       OR "Command" ILIKE '%ConsoleHost_history.txt%'
       OR "Command" ILIKE '%Get-History%'
       OR "Command" ILIKE '%PSReadLine%')
      AND NOT ("Process Name" ILIKE 'bash'
               OR "Process Name" ILIKE 'zsh'
               OR "Process Name" ILIKE 'sh'
               OR "Process Name" ILIKE 'powershell.exe'
               OR "Process Name" ILIKE 'pwsh.exe')
    )
  )
  AND starttime > (NOW() - 86400000)
ORDER BY starttime DESC
LAST 10000
high severity medium confidence

Detects access to shell history files or process command lines referencing history file paths in IBM QRadar by querying normalized device properties from Linux auditd and Windows Sysmon log sources. Custom properties 'File Path', 'Process Name', and 'Command' must be mapped in QRadar DSM configuration for Sysmon and Linux OS log sources. Covers both Linux shell history and Windows PSReadLine history harvesting patterns.

Data Sources

IBM QRadar SIEMLinux OS DSM (auditd)Microsoft Windows Sysmon DSMWindows Security Event Log DSM

Required Tables

events

False Positives & Tuning

  • IT asset inventory and SIEM configuration tools reading home directories during scheduled discovery scans may match history file path patterns
  • Endpoint detection agents (CrowdStrike Falcon, Carbon Black Response) accessing history files as part of their own behavioral telemetry collection routines
  • System administration automation (Ansible playbooks, Chef recipes, Puppet manifests) that include history file paths in execution templates or verification steps
Download portable Sigma rule (.yml)

Other platforms for T1552.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Read bash_history File for Credentials

    Expected signal: Linux auditd EXECVE records for cat and grep with .bash_history path. OPEN syscall for .bash_history. Process chain visible in auditd records.

  2. Test 2Access Another User's bash_history

    Expected signal: Linux auditd: SYSCALL with uid of calling user but auid of root for the cat command. OPEN syscall for /root/.bash_history. sudo usage logged in /var/log/auth.log.

  3. Test 3Read Windows PowerShell History

    Expected signal: Sysmon Event ID 1: cmd.exe with 'type' and 'ConsoleHost_history.txt' in command line. Sysmon Event ID 11: file access for ConsoleHost_history.txt.

  4. Test 4Enumerate All Shell History Files on System

    Expected signal: Linux auditd EXECVE for find with .bash_history pattern. Multiple OPEN syscalls for each discovered history file. Process chain showing find then cat.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1552.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In FilesT1552.002Credentials in RegistryT1552.004Private KeysT1552.005Cloud Instance Metadata APIT1552.006Group Policy PreferencesT1552.007Container APIT1552.008Chat Messages

Related Techniques

T1552Unsecured CredentialsT1552.001Credentials In FilesT1059.004Unix ShellT1005Data from Local SystemT1083File and Directory DiscoveryT1078Valid Accounts

Same Tactic: Credential Access

Popular Detections