Indicator Removal on Host: Clear Command History

In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.

On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.

Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.

On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.

The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.[1]

Adversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.[2][3]

ID: T1070.003
Sub-technique of:  T1070
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Permissions Required: User
Defense Bypassed: Host forensic analysis, Log analysis
Contributors: Emile Kenning, Sophos; Vikas Singh, Sophos
Version: 1.1
Created: 31 January 2020
Last Modified: 16 October 2020
Provided by LAYER 8

Procedure Examples

ID Name Description
G0096 APT41

APT41 attempted to remove evidence of some of its activity by deleting Bash histories.[4]

S0601 Hildegard

Hildegard has used history -c to clear script shell logs.[5]

S0641 Kobalos

Kobalos can remove all command history on compromised hosts.[6]

G0045 menuPass

menuPass has used Wevtutil to remove PowerShell execution logs.[7]

G0139 TeamTNT

TeamTNT has cleared command history with history -c.[8]

Mitigations

ID Mitigation Description
M1039 Environment Variable Permissions

Making the environment variables associated with command history read only may ensure that the history is preserved.[9]

M1022 Restrict File and Directory Permissions

Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their ~/.bash_history or ConsoleHost_history.txt files.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Deletion
File Modification

User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the removal/clearing of the ~/.bash_history file can be an indicator of suspicious activity.

Monitor for suspicious modifications or deletion of ConsoleHost_history.txt and use of the Clear-History command.

References