There are a number of commands that may be used to conceal nefarious activity on a Linux system, mostly through removing or overwriting the shell history files and logon activities:
kill -9 $$
history -c
export HISTFILESIZE=0
export HISTSIZE=0
unset HISTFILE
echo "" > /var/log/auth.log
ln /dev/null ~/.bash_history -sf
rm ~/.bash_history -rf
echo "" > ~/.bash_history
shred -zu ~/.bash_history
Here is a quick-and-dirty RegEx to match on these when hunting through your EDR or system logs:
((rm|ln|echo|shred).*\.bash_history.*)|((export|unset) HIST(FILE)?(SIZE=0)?)|(kill -9 \$\$)|(history -c)|(echo.*\/auth\.log)
Enjoy.
No comments:
Post a Comment