DET0385: Detect Access and Parsing of .bash_history Files for Credential Harvesting
DET0385 is a detection strategy for identifying access to, or parsing of, .bash_history files that may indicate credential harvesting. The business signifi...
Analyst context for executives and security teams
DET0385 is a detection strategy for identifying access to, or parsing of, .bash_history files that may indicate credential harvesting. The business significance is that command history can unintentionally contain passwords, tokens, keys, connection strings, or administrative commands, turning a single compromised account or host into a broader credential-access event.
Executive priority
Treat this as a low-cost, high-value validation point for credential-access readiness. Leaders should ask whether Unix-like endpoint telemetry, file access auditing, and command-line monitoring are sufficient to show when shell history files are being searched or collected, and whether incident response playbooks include rapid credential review and rotation when such access is confirmed.
Technical view
This strategy detects ATT&CK T1552.003 Shell History under the credential-access tactic. Because the detection object does not provide official detection logic or platforms, SOC teams should validate coverage against the related technique context: monitoring suspicious access to user shell history files such as ~/.bash_history and, where relevant, other shell history artifacts such as ~/.zsh_history. Detection should focus on unusual processes, users, or command lines reading, grepping, copying, archiving, or exfiltration-staging shell history files, especially outside normal interactive shell use or administrative troubleshooting.
Likely telemetry
- Endpoint process creation telemetry with command-line arguments
- File access or file read telemetry for user shell history files
- User and host context for interactive versus non-interactive sessions
- EDR or audit logs showing process ancestry and executed binaries
- Authentication and account context to support credential exposure assessment
Detection direction
- Confirm whether telemetry records reads or searches of ~/.bash_history and similar shell history files, not just process execution.
- Tune for context: normal shell operation and legitimate administration can touch history files, so prioritize unusual processes, bulk collection, scripted parsing, access across multiple users’ home directories, or activity by unexpected accounts.
- Correlate suspected history access with subsequent authentication attempts, lateral movement indicators, or use of credentials, without assuming compromise from file access alone.
- Review blind spots where endpoint agents do not capture file reads, command-line arguments are truncated, home directories are excluded, or macOS/Linux audit coverage is inconsistent.
Mitigation priorities
- Reduce credential exposure in shell history through user training and administrative standards that prohibit entering secrets directly on command lines.
- Harden secret handling by using approved credential stores, tokens, and environment-specific secret management rather than ad hoc command-line secrets.
- Restrict access to user home directories and shell history files according to least privilege.
- Include shell history review and credential rotation decisions in incident response procedures when suspicious access is observed.
- Use detection validation exercises to confirm SOC visibility before relying on this strategy as audit or compliance evidence.
Analyst notes and limits
The supplied ATT&CK detection strategy has no official description, detection text, tactics, or platforms. Its decision value comes from its name and its relationship to T1552.003 Shell History. The related technique supports credential-access framing and Linux/macOS shell history examples; any Windows applicability should be validated locally because this specific strategy name focuses on .bash_history.
This take does not assert active exploitation, attribution, or guaranteed detection coverage. Local shell configuration, endpoint logging, EDR capabilities, retention, and administrative practices determine whether the behavior can be detected reliably.
Detect Access and Parsing of .bash_history Files for Credential Harvesting
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1552.003 | Shell History Sub-technique | This object detects Shell History. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | bf713001d722… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0385Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.