Clear Command History

00:00

hello and welcome to another application of the minor tank framework discussion

00:05

today. We're going to be looking at clear command history. So do you jump right into this Theobald actives of today's discussion? Ours followed. So we're going to review what clear command history is within minor. And then we're going to discuss why we should

00:23

review it, why it should be reviewed while we should look for the clearing of commands where

00:28

those commands are stored, especially in Livingston, Mac OS and we're going to talk a little bit about some of the limitations of the Windows Command. Prompt us? Well, we want to look at some mitigation techniques, and we're going to talk detection techniques as well. So let's go ahead and jump right in

00:49

so clear command history

00:51

within the moderate framework we're looking at both Mac OS and Lennox, primarily, the commands of user enters into the terminal are actually kept track of the primary area. For this information is stored in a hidden file

01:07

dot bash underscore history, so anything that's entered into a terminal gets put into this particular file.

01:15

Now with this, this could also include things like credentials. So if you're using a credential set that's not encrypted, or if you just, or putting something in plain text, whatever the case may be, it's going to go into this file. So if a threat actor has a way to skim these files on limits or Mac systems,

01:34

then you could be looking at an exposure.

01:38

Now a threat actor will clear this information, typically to ensure the job of tracking their actions is a little more difficult. Something that we don't mention here, but we'll mention in becoming slides is that in the Windows

01:53

based systems, the terminal clears itself after it is closed, so you don't have a track of what those sessions included. There are some auditing functions and features that continue when certain things were executed through the command prompt. But a verbatim transcript of what runs through it is not native

02:14

in Windows. So it is worth a shot, though, to review four manipulations and things of that nature. So threat actors will likely put again commands and scripts that will remove command history. And so this is things like unset hissed file export. His file equals zero history. Dash, seed clear.

02:32

Remove the hidden file, however, don't let it deter you from looking to see if there's indicators of compromise in the terminals history.

02:43

And so if you suspect

02:45

that something has happened

02:46

and the terminal is cleared

02:49

in one of these operating systems and that you don't have a command history

02:53

and you know it should be recording those commands. And it's likely

03:00

when this command prompt again typically lose their history as soon as the session ends.

03:06

So not much that can be done there natively again.

03:09

So let's talk about mitigation techniques.

03:13

So within the limits environments, we can make the history file read on Lee so that it can't be manipulated by standard users and things of that nature.

03:23

We can also ensure that the users permissions Air Limited and so, making sure that a user can manipulate files that they don't have administrative privilege unnecessarily assigned to the account, making sure that the file can't be manipulated by the users. All of those things are a nice, pretty circle

03:39

that you have to put together. But once you do that, it would be good to keep that history file intact, and that could be beneficial in your troubleshooting efforts, and it may make finding a threat actor that much easier

03:52

now. Detection techniques,

03:54

Any alterations? Air clearing up The history file, of course, should be long. Does a suspicious activity and reviewed

04:00

again.

04:02

The Windows equivalent is not present, but you can enable some advanced automated functions and features for the command prompt. And you know, through some of the other areas that we've discussed ways that a threat actor could use power shell or the command prompt to run

04:17

certain things against services or to create registry entries. Do things of that nature.

04:24

Those things should be long. And even though you may not have the full syntax, if you've got some bits and pieces, you could put it back together and kind of understand what a threat actor was doing on a system.

04:33

So what? That Mom, let's go ahead and jump into a check on learning. True or false, the Windows Command line history is persistent between sessions.

04:44

All right, well, if you need some additional time, please pause the video and take a moment.

04:49

So we've discussed that the

04:53

Limits and Mac OS command line history is persistent as far as it gets put into a history file, But we have not indicated at all that the Windows Command line history is persistent between sessions or several terminal connections. And so this is going to be

05:11

false now. If you managed to have the terminal open,

05:15

there are some ways that you can actually take that and view The commands were put into that session. But assume is that session closes. You lose that history, so that's unfortunate.

05:27

So in summary of today's discussion, we reviewed clear command history as far as the better. In the defense evasion component of minor, we reviewed some mitigation techniques,

05:38

such as limiting permissions in those limits based environments to the history files and ensuring that users are operating in a method of least privilege.