Wednesday, May 23, 2018

How attacker alter the history in Linux:

During incident response and threat hunting activity, the analyst collects important artifacts, logs from the suspected system or victim machine. When the Linux environment as the infected device OS, then executed commands list by attackers will give you the detail of how infection flows into the system. In order to get that list 'History' is the command used to get the list.

Let's see how attacker modifies the history:

entering the first command

For instance, I try to print a sentence as "this is hacker" using echo command.

the command for printing the message done


Once print was done then check the history. It shows the echo command as the serial number 595.

History list



Now go back to the terminal and press upper arrow where we find the echo "this is hacker" statement. Just backspace that content and rewrite whatever you wish. In this case, I wrote, "this is not hacker". But don't enter that command, just push the down arrow and go for empty command. Hit the history and check the list.



 Currently, we unable to see the 595 serial number content as "this is hacker". Now it is showing 595* "this is not hacker". This is how the attacker will edit the history.




Reason for asterisk symbol in the Linux history:
The star or asterisk symbol in the serial number at the history, it is the indication of modified history.


Post made by
newWorld

No comments:

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...