Mastodawn

Artifact: Exchange.Linux.System.BashLogout

----

This artifact captures information from about Bash logout files for examination of abnormal activity.

Bash logout files are used to run certain commands upon user logout, such as clearing the shell or terminal state.

----

An adversary could leverage this capability to cover their tracks by clearing logs, deleting files, etc.

Once example of this is running the following commands at logout to clear the user's Bash history:

'history -c'
'cat /dev/null > ~/.bash_history'

----

This artifact also includes a content filter ('ContentFilter') to allow for searching for various content within the file.

Additionally, in-scope Bash logout files can be uploaded to the Velociraptor server by checking the box for the 'UploadFiles' option.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖