title: Bash History (T1552.003)
id: df00tech-t1552-003
status: experimental
description: "Adversaries may search the command-line history on compromised systems for insecurely stored credentials. On Linux and macOS, shells like Bash and Zsh maintain history files (~/.bash_history, ~/.zsh_history) that capture all commands including those containing passwords passed as arguments. On Windows, PowerShell maintains a persistent history file at %USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt. Users frequently type credentials as command-line arguments to tools like curl, ssh, mysql, psql, git, and aws CLI, which then persist in shell history. Kinsing malware is a known user of this technique to harvest credentials from containerized environments."
references:
  - https://attack.mitre.org/techniques/T1552/003/
  - https://df00tech.com/detections/T1552.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1552.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Shell processes (bash, zsh, sh) legitimately reading their own history files at session start/end — this is normal behavior and should be excluded"
  - Backup agents reading home directories including shell history files as part of user data backup
  - System administration scripts that process or rotate shell history files for compliance or auditing
  - IDE and terminal applications that integrate with shell history for command completion features
  - Security tools performing scheduled credential hygiene scans on behalf of users
level: medium