Impair Command History Logging

MITRE ATT&CK, Defense Evasion, Sub-technique T1562.003

Impairing command history logging allows for an attacker to operate on a compromised host while leaving minimal evidence behind.

Methods for Linux and MacOS

Clearing the HISTFILE

# Clear the command history variable
unset HISTFILE

# Set the command history size to zero
export HISTFILESIZE=0

# Configure the HISTCONTROL variable to ignore commands that begin with a space. 
HISTCONTROL=ignoreboth

Methods for Windows

# Disable the PSReadLine module
Set-PSReadlineOption -HistorySaveStyle SaveNothing

# Modify where logs are stored
Set-PSReadLineOption -HistorySavePath {File Path}

References

Impair Defenses: Impair Command History Logging, Sub-technique T1562.003 - Enterprise | MITRE ATT&CK®

PreviousDisable Windows Event Logging NextTimestomping

Last updated 2 years ago