{
    "type": "bundle",
    "id": "bundle--9bc8149b-6780-4f03-9418-6b8f6f9b8c2c",
    "spec_version": "2.0",
    "objects": [
        {
            "x_mitre_platforms": [
                "Linux",
                "macOS"
            ],
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "id": "attack-pattern--086952c4-5b90-4185-b573-02bad8e11953",
            "type": "attack-pattern",
            "created": "2017-12-14T16:46:06.044Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": true,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "external_id": "T1148",
                    "url": "https://attack.mitre.org/techniques/T1148"
                },
                {
                    "external_id": "CAPEC-13",
                    "source_name": "capec",
                    "url": "https://capec.mitre.org/data/definitions/13.html"
                }
            ],
            "modified": "2020-02-21T20:57:38.015Z",
            "name": "HISTCONTROL",
            "description": "The <code>HISTCONTROL</code> environment variable keeps track of what should be saved by the <code>history</code> command and eventually into the <code>~/.bash_history</code> file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". <code>HISTCONTROL</code> can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that \u201c ls\u201d will not be saved, but \u201cls\u201d would be saved by history. <code>HISTCONTROL</code> does not exist by default on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving traces by simply prepending a space to all of their terminal commands.",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "defense-evasion"
                }
            ],
            "x_mitre_detection": "Correlating a user session with a distinct lack of new commands in their <code>.bash_history</code> can be a clue to suspicious behavior. Additionally, users checking or changing their <code>HISTCONTROL</code> environment variable is also suspicious.",
            "x_mitre_version": "1.1",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_defense_bypassed": [
                "Log analysis",
                "Host forensic analysis"
            ],
            "x_mitre_permissions_required": [
                "User"
            ],
            "x_mitre_is_subtechnique": false
        }
    ]
}