MITRE ATT&CK Technique
Credential Access
T1139
Description
Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)
Supported Platforms
Linux
macOS
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-12-14T16:46:06.044Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Bash keeps track of the commands users type on the '
'command-line with the "history" utility. Once a user logs '
'out, the history is flushed to the user’s '
'<code>.bash_history</code> file. For each user, this file '
'resides at the same location: <code>~/.bash_history</code>. '
'Typically, this file keeps track of the user’s last 500 '
'commands. Users often type usernames and passwords on the '
'command-line as parameters to programs, which then get saved '
'to this file when they log out. Attackers can abuse this by '
'looking through the file for potential credentials. '
'(Citation: External to DA, the OS X Way)',
'external_references': [{'external_id': 'T1139',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1139'},
{'description': 'Alex Rymdeko-Harvey, Steve Borosh. '
'(2016, May 14). External to DA, the '
'OS X Way. Retrieved July 3, 2017.',
'source_name': 'External to DA, the OS X Way',
'url': 'http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way'}],
'id': 'attack-pattern--44dca04b-808d-46ca-b25f-d85236d4b9f8',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'}],
'modified': '2025-10-24T17:48:43.139Z',
'name': 'Bash History',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS'],
'x_mitre_version': '1.1'}