Incident Response - Linux Bash History
119 بار بازدید -
2 ماه پیش
-
When performing an incident response
When performing an incident response on a Linux system or, server the bash history is vital for a number of reasons as it not only tells the story but it can also show what a user was doing at the time of an event or, incident.
In this example we explore where we can find the .bash_history file(s) and, how to show them both in terminal and with the history command.
LINUX COMMANDS:
history (shows the bash history)
history | grep -i "foobar" (searches the history from terminal case-insensitive for "foobar")
history | egrep -i "foo|bar|blah" (similar search as above, but allows for multiple insensitive searches looking for foo, bar or blah.)
cat ~/.bash_history (lists the currently logged-in users bash history)
cat /home/USER/.bash_history (lists the other users bash history)
NOTE: you can only see other users bash history if you are running as root or, a privileged account.
WARNING: In system hardening, bash history can in some cases lead to privilege escalation whereby users may be issuing passwords as clear-text such as: mysql -u root -pP@SSword! and this can in fact lead to other issues not covered here.
#incidentresponse #socanalyst #cybersecurity #dfir #forensics #terminal
In this example we explore where we can find the .bash_history file(s) and, how to show them both in terminal and with the history command.
LINUX COMMANDS:
history (shows the bash history)
history | grep -i "foobar" (searches the history from terminal case-insensitive for "foobar")
history | egrep -i "foo|bar|blah" (similar search as above, but allows for multiple insensitive searches looking for foo, bar or blah.)
cat ~/.bash_history (lists the currently logged-in users bash history)
cat /home/USER/.bash_history (lists the other users bash history)
NOTE: you can only see other users bash history if you are running as root or, a privileged account.
WARNING: In system hardening, bash history can in some cases lead to privilege escalation whereby users may be issuing passwords as clear-text such as: mysql -u root -pP@SSword! and this can in fact lead to other issues not covered here.
#incidentresponse #socanalyst #cybersecurity #dfir #forensics #terminal
2 ماه پیش
در تاریخ 1403/03/09 منتشر شده
است.
119
بـار بازدید شده