Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1085: Analytic 1085

A process outside of interactive shell context reads ~/.bash_history directly (e.g., using cat, less, grep), often shortly after privilege escalation or user switch (su/sudo). This may be followed by credential scanning in memory or file writes to new locations.

EnterpriseAN1085AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because direct access to a user’s ~/.bash_history can expose prior commands, operational details, paths, tokens, or credential-handling mistakes. For leaders, the practical issue is not the history file itself; it is whether Linux monitoring can distinguish normal user shell activity from a separate process reading another user’s command history, especially after su or sudo activity.

Executive priority

Prioritize this as a Linux visibility and incident-readiness question: can the organization prove when command history files are accessed, by whom, from which process context, and shortly after privilege changes? This supports identity and access governance, SOC triage quality, and post-incident evidence collection. Because ATT&CK provides no tactic mapping or relationship context for this analytic, it should be treated as a focused detection validation item rather than a standalone risk conclusion.

Technical view

Validate whether Linux telemetry captures process execution and file-read access involving ~/.bash_history, especially when the reading process is not an interactive shell and uses utilities such as cat, less, or grep. Correlate with nearby su or sudo activity where available. The official description also notes possible follow-on credential scanning in memory or file writes to new locations, so responders should check whether those evidence classes are available during investigation. No official detection logic is supplied, so local baselining and tuning are required.

Likely telemetry

  • Linux process execution events, including parent process, command line, user, and session context
  • File access telemetry for reads of ~/.bash_history
  • Authentication and privilege-change logs for su and sudo activity
  • User/session context that helps distinguish interactive shell use from non-interactive process access
  • File creation or write events to new locations after history-file access, where collected

Detection direction

  • Confirm that monitoring can identify reads of ~/.bash_history by processes outside an interactive shell context.
  • Correlate history-file reads with recent su or sudo events to raise investigative priority.
  • Tune for administrative and troubleshooting workflows that legitimately inspect shell history to reduce false positives.
  • Preserve parent/child process and session context; without it, teams may only see benign-looking utilities such as cat, less, or grep.
  • Because ATT&CK provides no official detection text, treat any rule as environment-specific and validate against local Linux administration patterns.

Mitigation priorities

  • Restrict unnecessary access to user history files through standard Linux permissions and least-privilege administration.
  • Reduce sensitive data exposure in shell history through policy, secure credential-handling practices, and user/admin training.
  • Ensure sudo/su logging and Linux process/file telemetry are retained long enough to support investigations.
  • Define response playbooks for suspicious history-file access that include checking recent privilege changes, related file writes, and potential credential exposure.
  • Use this analytic as part of broader Linux hardening and monitoring validation rather than as a complete control by itself.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Linux with a narrow behavioral description: a non-interactive process reading ~/.bash_history, potentially near privilege escalation or user switching. No tactics, relationships, or official detection logic were supplied, so the value is in validating telemetry coverage and correlation logic rather than asserting a specific adversary objective.

Assessment is limited to the official STIX fields, external reference, and absence of relationships provided. No active exploitation, attribution, specific technique mapping, guaranteed detection method, or customer exposure can be inferred from this object alone. Local Linux logging configuration determines whether this behavior is observable.

Official MITRE ATT&CK definition

Analytic 1085

A process outside of interactive shell context reads ~/.bash_history directly (e.g., using cat, less, grep), often shortly after privilege escalation or user switch (su/sudo). This may be followed by credential scanning in memory or file writes to new locations.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b22749e16f9d69ea...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b22749e16f9d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1085
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use