Capture Bash logout files for examination of abnormal activity.
Bash logout files are used to run certain commands upon user logout, such as clearing the shell or terminal state. An adversary could leverage this capability to clear logs, cover tracks, delete files, etc.
name: Linux.System.BashLogout
description: |
Capture Bash logout files for examination of abnormal activity.
Bash logout files are used to run certain commands upon user logout, such as clearing the shell or terminal state. An adversary could leverage this capability to clear logs, cover tracks, delete files, etc.
type: CLIENT
author: Wes Lambert - @therealwlambert|@weslambert@infosec.exchange
parameters:
- name: BashLogoutGlob
default: /home/*/.bash_logout
- name: ContentFilter
default: .
description: Filter used for searching through file content
- name: UploadFiles
default: False
description: "Upload Bash logout files in scope"
type: bool
precondition:
SELECT OS From info() where OS = 'linux'
sources:
- query: |
LET BashLogoutList = SELECT OSPath, Mtime
FROM glob(globs=split(string=BashLogoutGlob, sep=","))
SELECT OSPath, Mtime, parse_string_with_regex(regex="(?sm)(?P<Commands>^[a-z].*)", string=read_file(filename=OSPath)).Commands AS Content,
if(condition=UploadFiles,then=upload(file=OSPath)) AS Upload
FROM foreach(row=BashLogoutList)
WHERE Content =~ ContentFilter