T1070.003: Clear Command History
| View on MITRE ATT&CK | T1070.003 |
|---|---|
| Tactic(s) | Defense Evasion |
Data from MITRE ATT&CK®:
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.
Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.
Adversaries may also leverage a Network Device CLI on network devices to clear command history data (clear logging and/or clear history).(Citation: US-CERT-TA18-106A)
On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.
The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)
Adversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation
This blog post by threat researchers at Mandiant outlines intrusions activity by the UNC3886 intrusion set which involved the deployment of ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Remote Data Storage
Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.Environment Variable Permissions
Prevent modification of environment variables by unauthorized users and groups.How to detect this technique
MITRE ATT&CK Data Components
File Modification (File)
Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)User Account Authentication (User Account)
An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)File Deletion (File)
Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Clear Bash history (echo)
Use Space Before Command to Avoid Logging to History
Clear Bash history (truncate)
Set Custom AddToHistoryHandler to Avoid History File Logging
Clear and Disable Bash History Logging
Clear Powershell History by Deleting History File
Clear Bash history (rm)
Prevent Powershell History Logging
Clear history of a bunch of shells
Disable Bash History Logging with SSH -T
Clear Docker Container Logs
Clear Bash history (ln dev/null)
Clear Bash history (cat dev/null)
Sigma Detections for this Technique
Disable Powershell Command History
Cisco Clear Logs
Clear PowerShell History - PowerShell
Clear PowerShell History - PowerShell Module
Clear Command History
Suspicious IO.FileStream
Clearing Windows Console History
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.