This artifact enables grep-like searching of Bash and alternate shell history files.
It can also be used to target other files located in the user profile such as:
*_profile and *rc files./{root,home/*}/.*_history/{root,home/*}/.*_profile*rc file: /{root,home/*}/.*rcTags: .bash_history .bash_profile .bashrc
name: Linux.Sys.BashHistory
author: "Matt Green - @mgreen27"
description: |
This artifact enables grep-like searching of Bash and alternate shell history
files.
It can also be used to target other files located in the user profile such as:
- `*_profile` and `*rc` files.
- shell history: `/{root,home/*}/.*_history`
- profile: `/{root,home/*}/.*_profile`
- `*rc` file: `/{root,home/*}/.*rc`
Tags: .bash_history .bash_profile .bashrc
parameters:
- name: TargetGlob
default: /{root,home/*}/.*_history
- name: SearchRegex
type: regex
description: "Regex of strings to search in line."
default: '.'
- name: WhitelistRegex
type: regex
description: "Regex of strings to leave out of output."
default:
sources:
- query: |
LET files = SELECT OSPath FROM glob(globs=TargetGlob)
SELECT * FROM foreach(row=files,
query={
SELECT Line, OSPath FROM parse_lines(filename=OSPath)
WHERE
Line =~ SearchRegex
AND NOT if(condition= WhitelistRegex,
then= Line =~ WhitelistRegex,
else= FALSE)
})