Technique on mitre.org

T1070.003: Clear Command History

In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.

On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.

Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.

Adversaries may also leverage a Network Device CLI on network devices to clear command history data (clear logging and/or clear history).

On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.

The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.

Adversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

unix_mitre_attck_defense_evasion: PT-CR-1659: Unix_Clear_Command_History: Command history cleared

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for the suspicious execution of processes that may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.

Analytic 1 - Clear Powershell Console Command History

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="*WinEventLog:Security" EventCode="4688") AND (CommandLine="rm (Get-PSReadlineOption).HistorySavePath" OR CommandLine="del (Get-PSReadlineOption).HistorySavePath" OR CommandLine="Set-PSReadlineOption –HistorySaveStyle SaveNothing" OR CommandLine="Remove-Item (Get-PSReadlineOption).HistorySavePath" OR (CommandLine="del" AND CommandLine="Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt"))

IDDS0022Data source and componentFile: File DeletionDescription

Monitor for unexpected deletion of a command history file, such as ConsoleHost_history.txt, ~/.zsh_history, or ~/.bash_history.

Analytic 1 - Deletion of command history files

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="23") OR (source="*WinEventLog:Security" EventCode="4663") FilePath LIKE '%ConsoleHost_history.txt%' AND ObjectType == "File" AND (UserAccessList LIKE '%1537%' OR UserAccessList LIKE '%DELETE%'))

IDDS0022Data source and componentFile: File ModificationDescription

Monitor for changes made to command history files, such as ConsoleHost_history.txt, ~/.zsh_history, or ~/.bash_history, for unexpected modifications to contents, access permissions, and attributes.

Analytic 1 : Modification of access rights to command history files

(source="WinEventLog:Security" EventCode IN (4663, 4670) AND Path="ConsoleHost_history.txt" AND ObjectType="File") AND (UserAccessList="1539" OR UserAccessList="WRITE_DAC") OR (ObjectNewSd=";FA*" OR ObjectNewSd=";FW" OR ObjectNewSd=";BU")

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments for actions that could be taken to clear command history, such as Clear-History on Windows or clear logging / clear history via a Network Device CLI in AAA logs, or to disable writing command history, such as history -c in bash/zsh .

Analytic 1 - Powershell Commands

(source="*WinEventLog:Microsoft-Windows-Powershell/Operational" EventCode="4103") (CommandLine="Clear-History" OR (CommandLine="Remove-Item" AND CommandLine="ConsoleHost_history.text"))

IDDS0002Data source and componentUser Account: User Account AuthenticationDescription

Monitor for an attempts by a user to gain access to a network or computing resource, often by providing credentials via remote terminal services, that do not have a corresponding entry in a command history file.

Mitigation

IDM1039NameEnvironment Variable PermissionsDescription

Making the environment variables associated with command history read only may ensure that the history is preserved.

IDM1029NameRemote Data StorageDescription

Forward logging of historical data to remote data store and centralized logging solution to preserve historical command line log data.

IDM1022NameRestrict File and Directory PermissionsDescription

Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their ~/.bash_history or ConsoleHost_history.txt files.