Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor tank framework discussion
00:05
today. We're going to be looking at clear command history. So do you jump right into this Theobald actives of today's discussion? Ours followed. So we're going to review what clear command history is within minor. And then we're going to discuss why we should
00:23
review it, why it should be reviewed while we should look for the clearing of commands where
00:28
those commands are stored, especially in Livingston, Mac OS and we're going to talk a little bit about some of the limitations of the Windows Command. Prompt us? Well, we want to look at some mitigation techniques, and we're going to talk detection techniques as well. So let's go ahead and jump right in
00:49
so clear command history
00:51
within the moderate framework we're looking at both Mac OS and Lennox, primarily, the commands of user enters into the terminal are actually kept track of the primary area. For this information is stored in a hidden file
01:07
dot bash underscore history, so anything that's entered into a terminal gets put into this particular file.
01:15
Now with this, this could also include things like credentials. So if you're using a credential set that's not encrypted, or if you just, or putting something in plain text, whatever the case may be, it's going to go into this file. So if a threat actor has a way to skim these files on limits or Mac systems,
01:34
then you could be looking at an exposure.
01:38
Now a threat actor will clear this information, typically to ensure the job of tracking their actions is a little more difficult. Something that we don't mention here, but we'll mention in becoming slides is that in the Windows
01:53
based systems, the terminal clears itself after it is closed, so you don't have a track of what those sessions included. There are some auditing functions and features that continue when certain things were executed through the command prompt. But a verbatim transcript of what runs through it is not native
02:14
in Windows. So it is worth a shot, though, to review four manipulations and things of that nature. So threat actors will likely put again commands and scripts that will remove command history. And so this is things like unset hissed file export. His file equals zero history. Dash, seed clear.
02:32
Remove the hidden file, however, don't let it deter you from looking to see if there's indicators of compromise in the terminals history.
02:43
And so if you suspect
02:45
that something has happened
02:46
and the terminal is cleared
02:49
in one of these operating systems and that you don't have a command history
02:53
and you know it should be recording those commands. And it's likely
03:00
when this command prompt again typically lose their history as soon as the session ends.
03:06
So not much that can be done there natively again.
03:09
So let's talk about mitigation techniques.
03:13
So within the limits environments, we can make the history file read on Lee so that it can't be manipulated by standard users and things of that nature.
03:23
We can also ensure that the users permissions Air Limited and so, making sure that a user can manipulate files that they don't have administrative privilege unnecessarily assigned to the account, making sure that the file can't be manipulated by the users. All of those things are a nice, pretty circle
03:39
that you have to put together. But once you do that, it would be good to keep that history file intact, and that could be beneficial in your troubleshooting efforts, and it may make finding a threat actor that much easier
03:52
now. Detection techniques,
03:54
Any alterations? Air clearing up The history file, of course, should be long. Does a suspicious activity and reviewed
04:00
again.
04:02
The Windows equivalent is not present, but you can enable some advanced automated functions and features for the command prompt. And you know, through some of the other areas that we've discussed ways that a threat actor could use power shell or the command prompt to run
04:17
certain things against services or to create registry entries. Do things of that nature.
04:24
Those things should be long. And even though you may not have the full syntax, if you've got some bits and pieces, you could put it back together and kind of understand what a threat actor was doing on a system.
04:33
So what? That Mom, let's go ahead and jump into a check on learning. True or false, the Windows Command line history is persistent between sessions.
04:44
All right, well, if you need some additional time, please pause the video and take a moment.
04:49
So we've discussed that the
04:53
Limits and Mac OS command line history is persistent as far as it gets put into a history file, But we have not indicated at all that the Windows Command line history is persistent between sessions or several terminal connections. And so this is going to be
05:11
false now. If you managed to have the terminal open,
05:15
there are some ways that you can actually take that and view The commands were put into that session. But assume is that session closes. You lose that history, so that's unfortunate.
05:27
So in summary of today's discussion, we reviewed clear command history as far as the better. In the defense evasion component of minor, we reviewed some mitigation techniques,
05:38
such as limiting permissions in those limits based environments to the history files and ensuring that users are operating in a method of least privilege.
05:47
And we reviewed some detection techniques, such as whim. History files are cleared or when manipulations air happening within those different components. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor