Shell command history modified

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1070-indicator-removal

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect the tampering of shell command history on a host or container.

Strategy

Commands used within a terminal are contained within a local file so users can review applications, scripts, or processes that were previously executed. Adversaries tamper with the integrity of the shell command history by deletion, truncation, or the linking of /dev/null by use of a symlink. This allows adversaries to obfuscate their actions and delay the incident response process.

Triage and response

  1. Review the tampering action taken against the shell command history files.
  2. Review the user or process that performed the action against the shell command history.
  3. Determine whether or not this is expected behavior.
  4. If this activity is not expected, contain the host or container, and roll back to a known good configuration.

Requires Agent version 7.27 or greater

PREVIEWING: drodriguezhdez/add_public_docs_log_summarization