To test a Blumira detection after installing Blumira Agent on a Mac or Linux device, you can complete the steps below and then look for a related finding in the app.
Testing Bash/Zsh History Manipulation
Important: Due to the danger of accidentally overwriting a real zsh or bash history and to avoid accidentally corrupting logs, the provided shell script is coded to only execute if it is running from /tmp/.
To test the detection, do the following:
- Copy this script to /tmp/ on the device.
- Run the script in a command prompt.
- In Blumira, navigate to Findings to search for an open finding named "Bash/Zsh History Manipulation".
This script will do the following, which are all attacker tactics used to tamper with shell history:
- Create a symbolic link to /dev/null named .zsh_history.
- Write "bash content" to a file named .zsh_history.
- Remove the .zsh_history file.
- Write "+o history" to a file named .bashrc.
- Replace all occurrences of +o history with +o history_disabled in .bashrc demonstrating log tampering.
- Truncate the zsh_history file to zero length.