Ever wonder how much command-line logging actually sees or need to exfiltrate content under the radar? Turns out, there’s a pretty significant blind spot: shell functions.

Most CLI logging solutions capture the commands you type. For example: rm sensitive_file.txt gets logged. But they don’t catch what happens when rm isn’t actually the real rm binary anymore.

The Technique

You can override any command in your shell by defining a function with the same name. When you type rm, the shell checks functions first, then aliases, then binaries in $PATH. So if you define an rm() function, it takes precedence.