Eric Partington

Log your Bash history ?

Blog Post created by Eric Partington Employee on Apr 12, 2017

Based on some recent events related to Equation Group, logging commandline history became a more interesting topic for me to investigate.  There were some indicators that were published here that might have been useful to look for if analysts had a way to look at Linux commandline/bash history.

https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_equationgroup_lnx.yml

 

So the question became, how do enterprises log commandline information for all or targeted users or commands much like powershell can be used to get useful windows endpoint information for forensic investigations?

Natively there appeared to be many hacks to get some form of logging via syslog to a SIEM but the consensus appeared to be using Auditd to create rules to log events of interest and forward via syslog.  Still investigating how to get that to work on my demo environment but I took a slight pivot and looked at NetWitness Endpoint to see what information could be extracted from that database to leverage.

https://community.rsa.com/community/products/netwitness/blog/2017/03/10/investigations-with-endpoint-tracking-data

 

Using the post from Chris Thomas as a template to create a similar ODBC connection for Linux machines, a similar event source and ODBC typespec were created to pull linux bash history into NetWitness Logs where you could leverage the native investigation capabilities to look for the indicators in the first link (as well as any others that might be useful).  THe bash history is captured at scan time only (not like windows tracking data) but still gets you some potentially useful information into the SIEM.

 

This is what we can extract currently for linux endpoint agents:

specifically we are pulling in the client mac, client IP, client hostname, user, command (param)

The commandline parameters are written into the same metakey as the windows tracking data so that eveything is grouped together (with a different device.type = nwe_tracking_linux)

 

 

 

typespec and parser included below, same implementation as the Windows Tracking data.

Outcomes