T1070.003.md

T1070.003 - Clear Command History

Description from ATT&CK

In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done.

These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.

Adversaries can use a variety of methods to prevent their own commands from appear in these logs, such as clearing the history environment variable (unset HISTFILE), setting the command history size to zero (export HISTFILESIZE=0), manually clearing the history (history -c), or deleting the bash history file rm ~/.bash_history.

Atomic Tests

• Atomic Test #1 - Clear Bash history (rm)

• Atomic Test #2 - Clear Bash history (echo)

• Atomic Test #3 - Clear Bash history (cat dev/null)

• Atomic Test #4 - Clear Bash history (ln dev/null)

• Atomic Test #5 - Clear Bash history (truncate)

• Atomic Test #6 - Clear history of a bunch of shells

• Atomic Test #7 - Clear and Disable Bash History Logging

• Atomic Test #8 - Use Space Before Command to Avoid Logging to History

• Atomic Test #9 - Prevent Powershell History Logging

• Atomic Test #10 - Clear Powershell History by Deleting History File

Atomic Test #1 - Clear Bash history (rm)

Clears bash history via rm

Supported Platforms: Linux, macOS

Attack Commands: Run with sh!

rm ~/.bash_history

Atomic Test #2 - Clear Bash history (echo)

Clears bash history via rm

Supported Platforms: Linux, macOS

Attack Commands: Run with sh!

echo "" > ~/.bash_history

Atomic Test #3 - Clear Bash history (cat dev/null)

Clears bash history via cat /dev/null

Supported Platforms: Linux, macOS

Attack Commands: Run with sh!

cat /dev/null > ~/.bash_history

Atomic Test #4 - Clear Bash history (ln dev/null)

Clears bash history via a symlink to /dev/null

Supported Platforms: Linux, macOS

Attack Commands: Run with sh!

ln -sf /dev/null ~/.bash_history

Atomic Test #5 - Clear Bash history (truncate)

Clears bash history via truncate

Supported Platforms: Linux

Attack Commands: Run with sh!

truncate -s0 ~/.bash_history

Atomic Test #6 - Clear history of a bunch of shells

Clears the history of a bunch of different shell types by setting the history size to zero

Supported Platforms: Linux, macOS

Attack Commands: Run with sh!

unset HISTFILE
export HISTFILESIZE=0
history -c

Atomic Test #7 - Clear and Disable Bash History Logging

Clears the history and disable bash history logging of the current shell and future shell sessions

Supported Platforms: Linux, macOS

Attack Commands: Run with sh!

set +o history
echo 'set +o history' >> ~/.bashrc
. ~/.bashrc
history -c

Atomic Test #8 - Use Space Before Command to Avoid Logging to History

Using a space before a command causes the command to not be logged in the Bash History file

Supported Platforms: Linux, macOS

Attack Commands: Run with sh!

hostname
whoami

Atomic Test #9 - Prevent Powershell History Logging

Prevents Powershell history

Supported Platforms: Windows

Attack Commands: Run with powershell!

Set-PSReadlineOption –HistorySaveStyle SaveNothing

Cleanup Commands:

Set-PSReadlineOption –HistorySaveStyle SaveIncrementally

Atomic Test #10 - Clear Powershell History by Deleting History File

Clears Powershell history

Supported Platforms: Windows

Attack Commands: Run with powershell!

Remove-Item (Get-PSReadlineOption).HistorySavePath