T1070.003 Clear Command History Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // PowerShell history file deletion or manipulation
    (FileName in~ ("powershell.exe", "pwsh.exe")
     and ProcessCommandLine has_any ("ConsoleHost_history", "PSReadLine", "Get-PSReadlineOption", "Clear-History", "Remove-Item"))
    or
    // Linux/macOS bash history clearing via shell
    (FileName in~ ("bash", "sh", "zsh", "fish")
     and ProcessCommandLine has_any ("history -c", "history -w", "HISTFILE=", "HISTSIZE=0", "HISTFILESIZE=0"))
    or
    // Direct deletion of history files
    (ProcessCommandLine has_any ("bash_history", ".zsh_history", ".ash_history", ".fish_history")
     and ProcessCommandLine has_any ("rm ", "del ", "Remove-Item", "unlink"))
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
| union (
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where ActionType in ("FileDeleted", "FileModified")
    | where FolderPath has_any ("PSReadLine", "ConsoleHost_history")
       or FileName in~ (".bash_history", ".zsh_history", ".ash_history")
    | project Timestamp, DeviceName, InitiatingProcessAccountName,
             FileName, FolderPath, ActionType, InitiatingProcessFileName
)
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation File: File Deletion File: File Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Administrators running Clear-History during interactive PowerShell sessions for legitimate housekeeping
Shell profile scripts that set HISTSIZE=0 for service accounts that should not record history
Backup or rotation scripts that delete and recreate .bash_history files
Security tools that sanitize history files after removing credentials accidentally typed at the command line

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| where (Image like "%powershell.exe" OR Image like "%pwsh.exe")
  AND (CommandLine like "%ConsoleHost_history%" OR CommandLine like "%PSReadLine%"
       OR CommandLine like "%Get-PSReadlineOption%" OR CommandLine like "%Clear-History%"
       OR match(CommandLine, "Remove-Item.*history"))
| eval HistoryClearType="PowerShell PSReadLine History"
| table _time, host, User, Image, CommandLine, ParentImage, HistoryClearType
| sort - _time
| append [
    search index=linux_audit (type=EXECVE OR type=SYSCALL)
    | where (a0="bash" OR a0="sh" OR a0="zsh")
      AND (match(a1, "history.*-c") OR match(a2, "HISTFILE=") OR match(a2, "HISTSIZE=0")
           OR (match(a1, "rm") AND (match(a2, "bash_history") OR match(a2, "zsh_history"))))
    | eval HistoryClearType="Linux Shell History Clear"
    | table _time, host, auid, a0, a1, a2, HistoryClearType
]
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Sysmon Event ID 1 Linux Audit Daemon: EXECVE

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational linux_audit

False Positives

PowerShell profiles that run Clear-History on session start for privacy-conscious users
Service account shells configured with HISTSIZE=0 in /etc/profile.d/ for security compliance
Log rotation scripts that periodically clear user history files
IR tools that wipe history files as part of evidence preservation workflows on remediated hosts

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
[
  any where (
    (
      process.name in~ ("powershell.exe", "pwsh.exe") and
      (
        process.args : "*ConsoleHost_history*" or
        process.args : "*PSReadLine*" or
        process.args : "*Get-PSReadlineOption*" or
        process.args : "*Clear-History*" or
        process.command_line : "*Remove-Item*history*"
      )
    ) or
    (
      process.name in~ ("bash", "sh", "zsh", "fish") and
      (
        process.args : "*history -c*" or
        process.args : "*HISTFILE=*" or
        process.args : "*HISTSIZE=0*" or
        process.args : "*HISTFILESIZE=0*" or
        process.command_line : "*rm*bash_history*" or
        process.command_line : "*rm*zsh_history*"
      )
    ) or
    (
      process.name in~ ("rm", "unlink", "shred") and
      (
        process.args : "*.bash_history*" or
        process.args : "*.zsh_history*" or
        process.args : "*.ash_history*" or
        process.args : "*.fish_history*"
      )
    )
  )
]
| head 500

high severity high confidence

Data Sources

Endpoint - Elastic Agent with Endpoint Security integration Sysmon via Winlogbeat Auditd via Filebeat (Linux)

Required Tables

logs-endpoint.events.process-* logs-system.syslog-* winlogbeat-*

False Positives

System administrators running history -c as part of legitimate hardening or cleanup scripts after privileged maintenance windows
Automation or CI/CD pipelines invoking PowerShell that manipulate PSReadLine options for non-interactive sessions
Security tooling or EDR agents performing history file management as part of normal telemetry collection

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username,
  sourceip,
  QIDNAME(qid) AS EventName,
  "Process Name",
  "Command",
  CATEGORYNAME(category) AS Category
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 311, 352)
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    /* PowerShell PSReadLine manipulation */
    (
      LOWER("Process Name") LIKE '%powershell.exe'
      OR LOWER("Process Name") LIKE '%pwsh.exe'
    ) AND (
      LOWER("Command") LIKE '%consolehost_history%'
      OR LOWER("Command") LIKE '%psreadline%'
      OR LOWER("Command") LIKE '%get-psreadlineoption%'
      OR LOWER("Command") LIKE '%clear-history%'
      OR LOWER("Command") LIKE '%remove-item%history%'
    )
    OR
    /* Linux shell history clearing */
    (
      LOWER("Process Name") IN ('bash', 'sh', 'zsh', 'fish')
      AND (
        LOWER("Command") LIKE '%history -c%'
        OR LOWER("Command") LIKE '%histfile=%'
        OR LOWER("Command") LIKE '%histsize=0%'
        OR LOWER("Command") LIKE '%histfilesize=0%'
      )
    )
    OR
    /* Direct deletion of history files */
    (
      LOWER("Process Name") IN ('rm', 'unlink', 'shred', 'del')
      AND (
        LOWER("Command") LIKE '%.bash_history%'
        OR LOWER("Command") LIKE '%.zsh_history%'
        OR LOWER("Command") LIKE '%.ash_history%'
        OR LOWER("Command") LIKE '%.fish_history%'
      )
    )
  )
ORDER BY devicetime DESC
LIMIT 1000

high severity medium confidence

Data Sources

Microsoft Windows Sysmon (LOGSOURCETYPEID 311) Microsoft Windows Security Event Log (LOGSOURCETYPEID 12) Linux OS (LOGSOURCETYPEID 13) Linux Auditd (LOGSOURCETYPEID 352)

Required Tables

events

False Positives

Security operations personnel manually clearing history after conducting forensic analysis on a host
Automated provisioning scripts that configure PSReadLine options for service accounts during system hardening
Developer workstations where shell profile scripts clear history as a privacy preference

Sumo Logic CSE

sql

(_sourceCategory=*windows*sysmon* OR _sourceCategory=*linux*audit* OR _sourceCategory=*endpoint*)
| parse "EventCode=*" as event_code nodrop
| parse "Image=*\n" as process_image nodrop
| parse "CommandLine=*\n" as command_line nodrop
| parse "User=*\n" as user nodrop
| parse "Computer=*\n" as computer nodrop
| parse "type=* " as audit_type nodrop
| parse "exe=\"*\"" as exe nodrop
| parse "a0=\"*\"" as a0 nodrop
| parse "a1=\"*\"" as a1 nodrop
| parse "a2=\"*\"" as a2 nodrop
| where event_code = "1" OR audit_type = "EXECVE"
| where (
    /* PowerShell PSReadLine manipulation */
    (
      (process_image matches "*powershell.exe" OR process_image matches "*pwsh.exe")
      AND (
        toLowerCase(command_line) matches "*consolehost_history*"
        OR toLowerCase(command_line) matches "*psreadline*"
        OR toLowerCase(command_line) matches "*get-psreadlineoption*"
        OR toLowerCase(command_line) matches "*clear-history*"
        OR (toLowerCase(command_line) matches "*remove-item*" AND toLowerCase(command_line) matches "*history*")
      )
    )
    /* Linux shell history clearing */
    OR (
      (exe matches "*/bash" OR exe matches "*/sh" OR exe matches "*/zsh" OR exe matches "*/fish"
       OR a0 matches "bash" OR a0 matches "sh" OR a0 matches "zsh")
      AND (
        (a1 matches "*history*" AND a2 = "-c")
        OR toLowerCase(a1) matches "*histfile=*"
        OR toLowerCase(a1) matches "*histsize=0*"
        OR (a1 matches "*rm*" AND (a2 matches "*bash_history*" OR a2 matches "*zsh_history*"))
      )
    )
    /* Direct deletion of history files */
    OR (
      (exe matches "*/rm" OR exe matches "*/unlink" OR exe matches "*/shred")
      AND (
        a1 matches "*.bash_history*"
        OR a1 matches "*.zsh_history*"
        OR a1 matches "*.ash_history*"
        OR a1 matches "*.fish_history*"
      )
    )
  )
| if (!isNull(process_image), process_image, exe) as process_name
| if (!isNull(command_line), command_line, concat(a0, " ", a1, " ", a2)) as full_command
| if (!isNull(user), user, toString(auid)) as actor
| eval history_clear_type = if(
    toLowerCase(full_command) matches "*consolehost_history*" OR toLowerCase(full_command) matches "*psreadline*",
    "PowerShell PSReadLine",
    if(
      toLowerCase(full_command) matches "*histfile=*" OR toLowerCase(full_command) matches "*histsize=0*",
      "History Suppression via Env Var",
      if(
        toLowerCase(full_command) matches "*history -c*",
        "Shell In-Memory Clear",
        "History File Deletion"
      )
    )
  )
| fields _messagetime, computer, actor, process_name, full_command, history_clear_type
| sort by _messagetime desc
| limit 500

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic Windows App Linux auditd via Sumo Logic Linux App Sumo Logic CSE Normalized Records

Required Tables

_sourceCategory=*windows*sysmon* _sourceCategory=*linux*audit*

False Positives

IT operations teams running standardized shell profile scripts that set HISTSIZE=0 for shared service accounts to prevent credential leakage in history files
Red team or penetration testing activities during authorized engagements where history clearing is intentional tradecraft
Container or ephemeral workload initialization scripts that configure shell environments without persistent history

Google Chronicle / SecOps

yaral

rule t1070_003_clear_command_history {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1070.003 - Indicator Removal: Clear Command History. Covers PowerShell PSReadLine file manipulation, Linux shell history clearing commands (history -c), environment variable suppression (HISTFILE=, HISTSIZE=0, HISTFILESIZE=0), and direct deletion of .bash_history/.zsh_history files. Associated with TeamTNT, APT41, Aquatic Panda, Kobalos, and Medusa Group ransomware."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1070.003"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        /* PowerShell PSReadLine manipulation */
        re.regex($e.target.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`)
        and
        (
          re.regex($e.target.process.command_line, `(?i)ConsoleHost_history`) or
          re.regex($e.target.process.command_line, `(?i)PSReadLine`) or
          re.regex($e.target.process.command_line, `(?i)Get-PSReadlineOption`) or
          re.regex($e.target.process.command_line, `(?i)Clear-History`) or
          re.regex($e.target.process.command_line, `(?i)Remove-Item.*[Hh]istory`)
        )
      )
      or
      (
        /* Linux shell history clearing */
        re.regex($e.target.process.file.full_path, `(?i)/(bash|sh|zsh|fish)$`)
        and
        (
          re.regex($e.target.process.command_line, `history\s+-[cw]`) or
          re.regex($e.target.process.command_line, `HISTFILE=`) or
          re.regex($e.target.process.command_line, `HISTSIZE=0`) or
          re.regex($e.target.process.command_line, `HISTFILESIZE=0`)
        )
      )
      or
      (
        /* Direct deletion of shell history files */
        re.regex($e.target.process.file.full_path, `(?i)/(rm|unlink|shred)$`)
        and
        (
          re.regex($e.target.process.command_line, `\.(bash|zsh|ash|fish)_history`) or
          re.regex($e.target.process.command_line, `ConsoleHost_history\.txt`)
        )
      )
      or
      (
        /* PowerShell HistorySavePath via Get-PSReadlineOption - Medusa Group TTP */
        re.regex($e.target.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`) and
        re.regex($e.target.process.command_line, `(?i)HistorySavePath`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM - Process Events Endpoint telemetry forwarded to Chronicle (CrowdStrike, Carbon Black, SentinelOne, Sysmon via Bindplane)

Required Tables

UDM Events - PROCESS_LAUNCH

False Positives

Legitimate shell profile customization scripts (e.g., .bashrc or .zshrc) that set HISTSIZE=0 for shared or service accounts on build servers
Security tools performing post-incident remediation that clear history files as part of an approved forensic preservation workflow
Non-interactive PowerShell sessions run by automation frameworks (Ansible, Chef, Puppet) that modify PSReadLine configuration for headless operation

CrowdStrike LogScale (CQL)

cql

// T1070.003 - Clear Command History Detection
// Covers: PowerShell PSReadLine manipulation, Linux history clearing, history file deletion

#event_simpleName = ProcessRollup2
| ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|\/(bash|sh|zsh|fish|rm|unlink|shred))$/
| CommandLine = /(?i)(ConsoleHost_history|PSReadLine|Get-PSReadlineOption|Clear-History|Remove-Item.*[Hh]istory|HistorySavePath|history\s+-[cw]|HISTFILE=|HISTSIZE=0|HISTFILESIZE=0|\.bash_history|\.zsh_history|\.ash_history|\.fish_history)/
| eval HistoryClearType = case(
    ImageFileName = /(?i)(powershell\.exe|pwsh\.exe)/ AND CommandLine = /(?i)(ConsoleHost_history|PSReadLine|HistorySavePath)/,
    "PowerShell PSReadLine File Manipulation",
    ImageFileName = /(?i)(powershell\.exe|pwsh\.exe)/ AND CommandLine = /(?i)Clear-History/,
    "PowerShell In-Session History Clear",
    ImageFileName = /(?i)(powershell\.exe|pwsh\.exe)/ AND CommandLine = /(?i)Remove-Item.*[Hh]istory/,
    "PowerShell Remove-Item History Deletion",
    ImageFileName = /(?i)\/(bash|sh|zsh|fish)$/ AND CommandLine = /HISTFILE=|HISTSIZE=0|HISTFILESIZE=0/,
    "Linux History Env Var Suppression",
    ImageFileName = /(?i)\/(bash|sh|zsh|fish)$/ AND CommandLine = /history\s+-[cw]/,
    "Linux Shell In-Memory History Clear",
    ImageFileName = /(?i)\/(rm|unlink|shred)$/ AND CommandLine = /\.(bash|zsh|ash|fish)_history/,
    "Linux History File Direct Deletion",
    "Unknown History Clear Method"
  )
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, HistoryClearType, ParentBaseFileName],
    function=[
      count(aid, as=EventCount),
      min(timestamp, as=FirstSeen),
      max(timestamp, as=LastSeen)
    ]
  )
| sort(LastSeen, order=desc)
| limit 500

high severity high confidence

Data Sources

CrowdStrike Falcon EDR - ProcessRollup2 CrowdStrike Falcon LogScale

Required Tables

ProcessRollup2

False Positives

DevOps automation pipelines executing PowerShell with modified PSReadLine settings to suppress interactive history for non-human service accounts
Linux administrators who include history clearing commands in logout scripts (e.g., /etc/profile.d/ or .bash_logout) as a legitimate privacy control on shared systems
CrowdStrike RTR (Real Time Response) or remote management sessions that spawn shell processes with modified history settings for ephemeral administrative tasks

Clear Command History

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections