[Osquery_manager] Shell history artifact saved query

[tomsonpl]

Shell History Artifact

The Shell History artifact provides critical forensic visibility into command-line execution history across Linux and macOS systems. This query uniquely implements anti-forensics detection using LEFT JOIN to identify users with missing or cleared shell history—a key indicator of compromise or malicious activity.

Core Forensic Artifacts Coverage

#	Artifact	✓	OS	Query	File	Description
19	Shell History	✅	Linux	shell_history_linux_macos_elastic	8476c6fe	Command history with anti-forensics detection
19a	Shell History	✅	macOS	shell_history_linux_macos_elastic	8476c6fe	Command history with anti-forensics detection

MITRE ATT&CK Coverage

Technique ID	Name	Coverage
T1059.004	Command and Scripting Interpreter: Unix Shell	Direct detection of shell command execution
T1552.003	Unsecured Credentials: Bash History	Detection of credential exposure in history
T1070.003	Indicator Removal: Clear Command History	Anti-forensics detection via LEFT JOIN
T1105	Ingress Tool Transfer	Detection of download commands (curl, wget, etc.)
T1562.001	Impair Defenses: Disable or Modify Tools	Detection of users with disabled history

Queries by Platform

---

🐧 Linux / 🍎 macOS - Shell Command History with Anti-Forensics Detection

Description

Retrieves shell command history for all users with anti-forensics detection. Uses LEFT JOIN to identify users with no shell history (potential evidence of history clearing). Review results for: (1) suspicious command patterns including reverse shells, encoded commands, credential access, (2) users with no_history_suspicious='yes' indicating missing history files.

Detection Focus:

• Reverse shell commands (bash -i >& /dev/tcp/, nc -e /bin/sh)
• Base64 encoded commands (echo ... | base64 -d | sh)
• Credential access attempts (cat /etc/passwd, cat ~/.ssh/*)
• Download/transfer tools (curl, wget, scp, rsync)
• History evasion (unset HISTFILE, HISTSIZE=0, history -c)
• Users with no shell history (anti-forensics indicator)

Key Features

Feature	Implementation
Anti-Forensics Detection	LEFT JOIN reveals users with no history files
Shell Type Identification	Detects bash, zsh, fish, ash from history file paths
Timestamp Handling	Gracefully handles missing timestamps (time=0)
System User Filtering	Filters system accounts (uid < 500) unless they have history

Result

Query results include:

• username, uid, gid - User identification
• user_home - User's home directory path
• command - The executed command (NULL if no history)
• history_file - Path to the history file
• shell_type - Detected shell (bash/zsh/fish/ash/unknown)
• command_time - Human-readable timestamp or 'unknown'
• command_timestamp - Raw Unix epoch timestamp
• no_history_suspicious - 'yes' if user has no history (investigate!)

Platform

linux,darwin

Interval

3600 seconds (1 hour)

Query ID

shell_history_linux_macos_elastic

ECS Field Mappings

ECS Field	Query Column	Type
user.name	username	field
user.id	uid	field
user.group.id	gid	field
user.home	user_home	field
process.command_line	command	field
file.path	history_file	field
event.category	["process"]	static
event.type	["info"]	static
tags	["shell_history", "forensics", "anti_forensics_detection", ...]	static

SQL Query

-- Shell History - Command Execution Forensics with Anti-Forensics Detection
-- MITRE ATT&CK: T1059.004 (Unix Shell), T1552.003 (Bash History), T1070.003 (Clear History), T1105 (Ingress Tool Transfer), T1562.001 (Disable Tools)
-- Platforms: Linux, macOS
-- Uses LEFT JOIN to detect users with no shell history (anti-forensics indicator)
-- Note: Look for suspicious patterns and users with no_history_suspicious='yes'
SELECT
  u.username,
  u.uid,
  u.gid,
  u.directory AS user_home,
  sh.command,
  sh.history_file,
  CASE
    WHEN sh.history_file LIKE '%bash_history%' THEN 'bash'
    WHEN sh.history_file LIKE '%zsh_history%' THEN 'zsh'
    WHEN sh.history_file LIKE '%fish_history%' THEN 'fish'
    WHEN sh.history_file LIKE '%ash_history%' THEN 'ash'
    ELSE 'unknown'
  END AS shell_type,
  CASE
    WHEN sh.time > 0 THEN datetime(sh.time, 'unixepoch')
    ELSE 'unknown'
  END AS command_time,
  sh.time AS command_timestamp,
  CASE
    WHEN sh.command IS NULL THEN 'yes'
    ELSE 'no'
  END AS no_history_suspicious
FROM users u
LEFT JOIN shell_history sh ON sh.uid = u.uid
WHERE (u.uid >= 500 OR sh.command IS NOT NULL)
  AND (sh.command IS NULL OR sh.command != '')
ORDER BY u.username, sh.time DESC

---

Investigation Guidance

Suspicious Command Patterns to Search For

# Reverse shells
bash -i >& /dev/tcp/
nc -e /bin/sh
python -c 'import socket,subprocess,os'

# Encoded commands
base64 -d
echo ... | sh
eval $(...)

# Credential access
cat /etc/passwd
cat /etc/shadow
cat ~/.ssh/id_rsa
cat ~/.aws/credentials

# Download tools (check URLs)
curl -o
wget -O
scp user@remote:

# History evasion
unset HISTFILE
export HISTSIZE=0
history -c
rm ~/.bash_history

Limitations

Limitation	Impact	Mitigation
History disabled by attacker	Commands not recorded	Query detects via no_history_suspicious
HISTCONTROL=ignorespace	Commands with leading space not saved	Cannot recover; check shell configs
Missing timestamps	Some distros don't set HISTTIMEFORMAT	Query shows 'unknown' for timeline gaps
In-memory commands	Not written until shell exits	Use process_events for real-time

---

This PR was AI assisted with Claude Code

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: ac3bae9