Techniques
Sample rules
Suspicious History File Operations
- source: sigma
- technicques:
- t1552
- t1552.003
Description
Detects commandline operations on shell history files
Detection logic
condition: selection
selection:
CommandLine|contains:
- .bash_history
- .zsh_history
- .zhistory
- .history
- .sh_history
- fish_history
Suspicious History File Operations - Linux
- source: sigma
- technicques:
- t1552
- t1552.003
Description
Detects commandline operations on shell history files
Detection logic
condition: execve and history
execve:
type: EXECVE
history:
- .bash_history
- .zsh_history
- .zhistory
- .history
- .sh_history
- fish_history