Impair Command History Logging
MITRE ATT&CK, Defense Evasion, Sub-technique T1562.003
Impairing command history logging allows for an attacker to operate on a compromised host while leaving minimal evidence behind.
Methods for Linux and MacOS
Clearing the HISTFILE
# Clear the command history variable
unset HISTFILE
# Set the command history size to zero
export HISTFILESIZE=0
# Configure the HISTCONTROL variable to ignore commands that begin with a space.
HISTCONTROL=ignoreboth
Methods for Windows
# Disable the PSReadLine module
Set-PSReadlineOption -HistorySaveStyle SaveNothing
# Modify where logs are stored
Set-PSReadLineOption -HistorySavePath {File Path}
References
Last updated