Description
Adversaries may search the command history on compromised systems for insecurely stored credentials.
On Linux and macOS systems, shells such as Bash and Zsh keep track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user's history file. For each user, this file resides at the same location: for example, ~/.bash_history or ~/.zsh_history. Typically, these files keeps track of the user's last 1000 commands.
On Windows, PowerShell has both a command history that is wiped after the session ends, and one that contains commands used in all sessions and is persistent. The default location for persistent history can be found in %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt, but command history can also be accessed with Get-History. Command Prompt (CMD) on Windows does not have persistent history.(Citation: Microsoft about_History)(Citation: Medium)
Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials.(Citation: External to DA, the OS X Way)
Platforms
Mitigations (1)
Operating System ConfigurationM1028
There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands:
set +o history and set -o history to start logging again;
unset HISTFILE being added to a user's .bash_rc file; and
ln -s /dev/null ~/.bash_history to write commands to /dev/null i
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0599 | Kinsing | Malware | [Kinsing](https://attack.mitre.org/software/S0599) has searched <code>bash_history</code> for credentials.(Citation: Aqua Kinsing April 2020) |
References
- Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved September 12, 2024.
- Michael Koczwara. (2021, March 14). Windows privilege escalation via PowerShell History. Retrieved June 13, 2025.
- Microsoft. (2024, January 19). about_History. Retrieved June 13, 2025.
Frequently Asked Questions
What is T1552.003 (Shell History)?
T1552.003 is a MITRE ATT&CK technique named 'Shell History'. It belongs to the Credential Access tactic(s). Adversaries may search the command history on compromised systems for insecurely stored credentials. On Linux and macOS systems, shells such as Bash and Zsh keep track of the commands users type on t...
How can T1552.003 be detected?
Detection of T1552.003 (Shell History) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1552.003?
There are 1 documented mitigations for T1552.003. Key mitigations include: Operating System Configuration.
Which threat groups use T1552.003?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.