Skip to content

[Osquery_manager] Shell history artifact saved query #16204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: temporary-osquery-artifacts-branch
Choose a base branch
from
Open

[Osquery_manager] Shell history artifact saved query #16204

wants to merge 2 commits into from
+85 −9

Conversation

@tomsonpl
Copy link
Contributor

@tomsonpl tomsonpl commented Dec 2, 2025
edited
Loading

Shell History Artifact

The Shell History artifact provides critical forensic visibility into command-line execution history across Linux and macOS systems. This query uniquely implements anti-forensics detection using LEFT JOIN to identify users with missing or cleared shell history—a key indicator of compromise or malicious activity.

Core Forensic Artifacts Coverage

# Artifact OS Query File Description
19 Shell History Linux shell_history_linux_macos_elastic 8476c6fe Command history with anti-forensics detection
19a Shell History macOS shell_history_linux_macos_elastic 8476c6fe Command history with anti-forensics detection

MITRE ATT&CK Coverage

Technique ID Name Coverage
T1059.004 Command and Scripting Interpreter: Unix Shell Direct detection of shell command execution
T1552.003 Unsecured Credentials: Bash History Detection of credential exposure in history
T1070.003 Indicator Removal: Clear Command History Anti-forensics detection via LEFT JOIN
T1105 Ingress Tool Transfer Detection of download commands (curl, wget, etc.)
T1562.001 Impair Defenses: Disable or Modify Tools Detection of users with disabled history

Queries by Platform

🐧 Linux / 🍎 macOS - Shell Command History with Anti-Forensics Detection

Description

Retrieves shell command history for all users with anti-forensics detection. Uses LEFT JOIN to identify users with no shell history (potential evidence of history clearing). Review results for: (1) suspicious command patterns including reverse shells, encoded commands, credential access, (2) users with no_history_suspicious='yes' indicating missing history files.

Detection Focus:

  • Reverse shell commands (bash -i >& /dev/tcp/, nc -e /bin/sh)
  • Base64 encoded commands (echo ... | base64 -d | sh)
  • Credential access attempts (cat /etc/passwd, cat ~/.ssh/*)
  • Download/transfer tools (curl, wget, scp, rsync)
  • History evasion (unset HISTFILE, HISTSIZE=0, history -c)
  • Users with no shell history (anti-forensics indicator)

Key Features

Feature Implementation
Anti-Forensics Detection LEFT JOIN reveals users with no history files
Shell Type Identification Detects bash, zsh, fish, ash from history file paths
Timestamp Handling Gracefully handles missing timestamps (time=0)
System User Filtering Filters system accounts (uid < 500) unless they have history

Result

Screenshot 2025-12-02 at 15 31 10

Query results include:

  • username, uid, gid - User identification
  • user_home - User's home directory path
  • command - The executed command (NULL if no history)
  • history_file - Path to the history file
  • shell_type - Detected shell (bash/zsh/fish/ash/unknown)
  • command_time - Human-readable timestamp or 'unknown'
  • command_timestamp - Raw Unix epoch timestamp
  • no_history_suspicious - 'yes' if user has no history (investigate!)

Platform

linux,darwin

Interval

3600 seconds (1 hour)

Query ID

shell_history_linux_macos_elastic

ECS Field Mappings

ECS Field Query Column Type
user.name username field
user.id uid field
user.group.id gid field
user.home user_home field
process.command_line command field
file.path history_file field
event.category ["process"] static
event.type ["info"] static
tags ["shell_history", "forensics", "anti_forensics_detection", ...] static

SQL Query

-- Shell History - Command Execution Forensics with Anti-Forensics Detection
-- MITRE ATT&CK: T1059.004 (Unix Shell), T1552.003 (Bash History), T1070.003 (Clear History), T1105 (Ingress Tool Transfer), T1562.001 (Disable Tools)
-- Platforms: Linux, macOS
-- Uses LEFT JOIN to detect users with no shell history (anti-forensics indicator)
-- Note: Look for suspicious patterns and users with no_history_suspicious='yes'
SELECT
  u.username,
  u.uid,
  u.gid,
  u.directory AS user_home,
  sh.command,
  sh.history_file,
  CASE
    WHEN sh.history_file LIKE '%bash_history%' THEN 'bash'
    WHEN sh.history_file LIKE '%zsh_history%' THEN 'zsh'
    WHEN sh.history_file LIKE '%fish_history%' THEN 'fish'
    WHEN sh.history_file LIKE '%ash_history%' THEN 'ash'
    ELSE 'unknown'
  END AS shell_type,
  CASE
    WHEN sh.time > 0 THEN datetime(sh.time, 'unixepoch')
    ELSE 'unknown'
  END AS command_time,
  sh.time AS command_timestamp,
  CASE
    WHEN sh.command IS NULL THEN 'yes'
    ELSE 'no'
  END AS no_history_suspicious
FROM users u
LEFT JOIN shell_history sh ON sh.uid = u.uid
WHERE (u.uid >= 500 OR sh.command IS NOT NULL)
  AND (sh.command IS NULL OR sh.command != '')
ORDER BY u.username, sh.time DESC

Investigation Guidance

Suspicious Command Patterns to Search For

# Reverse shells
bash -i >& /dev/tcp/
nc -e /bin/sh
python -c 'import socket,subprocess,os'

# Encoded commands
base64 -d
echo ... | sh
eval $(...)

# Credential access
cat /etc/passwd
cat /etc/shadow
cat ~/.ssh/id_rsa
cat ~/.aws/credentials

# Download tools (check URLs)
curl -o
wget -O
scp user@remote:

# History evasion
unset HISTFILE
export HISTSIZE=0
history -c
rm ~/.bash_history

Limitations

Limitation Impact Mitigation
History disabled by attacker Commands not recorded Query detects via no_history_suspicious
HISTCONTROL=ignorespace Commands with leading space not saved Cannot recover; check shell configs
Missing timestamps Some distros don't set HISTTIMEFORMAT Query shows 'unknown' for timeline gaps
In-memory commands Not written until shell exits Use process_events for real-time

This PR was AI assisted with Claude Code

@tomsonpl
Add shell_history forensic query with anti-forensics detection
a62f70c 
- Uses LEFT JOIN to identify users with missing shell history
- Detects bash/zsh/fish/ash shell types from history file paths
- Handles edge case of missing timestamps (time=0)
- Includes user context: username, uid, gid, home directory
- Flags suspicious users with no_history_suspicious indicator
- MITRE ATT&CK: T1059.004, T1552.003, T1070.003, T1105, T1562.001
- Platforms: Linux, macOS
@tomsonpl
Update artifacts_matrix.md for shell_history query
ac3bae9 
- Mark Shell History (Linux/Mac) as fully available
- Update coverage stats: 2 available, 38 in progress
- Add query file reference to core artifacts table (rows 19, 19a)
- Add shell_history to Additional Queries section (row 27)
- Update User Activity category status
@tomsonpl tomsonpl marked this pull request as ready for review December 2, 2025 14:42
@tomsonpl tomsonpl requested a review from a team as a code owner December 2, 2025 14:42
@tomsonpl tomsonpl requested review from pzl and szwarckonrad and removed request for a team December 2, 2025 14:42
@elasticmachine
Copy link

elasticmachine commented Dec 2, 2025

💚 Build Succeeded

@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager Team:Defend Workflows Security team for Endpoint and OSQuery workflows [elastic/security-defend-workflows] labels Dec 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pzl pzl Awaiting requested review from pzl pzl is a code owner automatically assigned from elastic/security-defend-workflows

@szwarckonrad szwarckonrad Awaiting requested review from szwarckonrad szwarckonrad is a code owner automatically assigned from elastic/security-defend-workflows

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager Team:Defend Workflows Security team for Endpoint and OSQuery workflows [elastic/security-defend-workflows]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tomsonpl @elasticmachine @andrewkroh