Detect Clear Command History in Google Chronicle
Adversaries clear command history to conceal actions taken during an intrusion. On Windows, PowerShell maintains two history stores: the in-session history (cleared by Clear-History) and the PSReadLine history file at %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. Attackers may delete or truncate this file or use Remove-Item (Get-PSReadlineOption).HistorySavePath — the method used by Medusa Group ransomware. On Linux/macOS, history -c clears the in-memory history, HISTFILE= unsets the history file, and rm ~/.bash_history deletes the persistent record. Setting HISTSIZE=0 or HISTFILESIZE=0 prevents future history recording. TeamTNT, Aquatic Panda, APT41, Kobalos, and APT5 (ESXi) have all been observed clearing command history as post-exploitation cleanup.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Sub-technique
- T1070.003 Clear Command History
- Canonical reference
- https://attack.mitre.org/techniques/T1070/003/
YARA-L Detection Query
rule t1070_003_clear_command_history {
meta:
author = "Argus Detection Engineering"
description = "Detects T1070.003 - Indicator Removal: Clear Command History. Covers PowerShell PSReadLine file manipulation, Linux shell history clearing commands (history -c), environment variable suppression (HISTFILE=, HISTSIZE=0, HISTFILESIZE=0), and direct deletion of .bash_history/.zsh_history files. Associated with TeamTNT, APT41, Aquatic Panda, Kobalos, and Medusa Group ransomware."
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1070.003"
severity = "HIGH"
confidence = "HIGH"
version = "1.0"
created = "2026-04-13"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
(
/* PowerShell PSReadLine manipulation */
re.regex($e.target.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`)
and
(
re.regex($e.target.process.command_line, `(?i)ConsoleHost_history`) or
re.regex($e.target.process.command_line, `(?i)PSReadLine`) or
re.regex($e.target.process.command_line, `(?i)Get-PSReadlineOption`) or
re.regex($e.target.process.command_line, `(?i)Clear-History`) or
re.regex($e.target.process.command_line, `(?i)Remove-Item.*[Hh]istory`)
)
)
or
(
/* Linux shell history clearing */
re.regex($e.target.process.file.full_path, `(?i)/(bash|sh|zsh|fish)$`)
and
(
re.regex($e.target.process.command_line, `history\s+-[cw]`) or
re.regex($e.target.process.command_line, `HISTFILE=`) or
re.regex($e.target.process.command_line, `HISTSIZE=0`) or
re.regex($e.target.process.command_line, `HISTFILESIZE=0`)
)
)
or
(
/* Direct deletion of shell history files */
re.regex($e.target.process.file.full_path, `(?i)/(rm|unlink|shred)$`)
and
(
re.regex($e.target.process.command_line, `\.(bash|zsh|ash|fish)_history`) or
re.regex($e.target.process.command_line, `ConsoleHost_history\.txt`)
)
)
or
(
/* PowerShell HistorySavePath via Get-PSReadlineOption - Medusa Group TTP */
re.regex($e.target.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`) and
re.regex($e.target.process.command_line, `(?i)HistorySavePath`)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1070.003 command history clearing using UDM process launch events. Covers PowerShell PSReadLine file deletion/manipulation (including HistorySavePath access used by Medusa Group), Linux shell history clearing via history -c/-w, environment variable history suppression (HISTFILE=, HISTSIZE=0, HISTFILESIZE=0), and direct rm/unlink/shred of shell history files. Mapped to MITRE ATT&CK T1070.003.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate shell profile customization scripts (e.g., .bashrc or .zshrc) that set HISTSIZE=0 for shared or service accounts on build servers
- Security tools performing post-incident remediation that clear history files as part of an approved forensic preservation workflow
- Non-interactive PowerShell sessions run by automation frameworks (Ansible, Chef, Puppet) that modify PSReadLine configuration for headless operation
Other platforms for T1070.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Clear PowerShell PSReadLine History File
Expected signal: Sysmon EventCode 23 (FileDelete) targeting %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. PowerShell process creation event with Remove-Item and Get-PSReadlineOption in the command line. MDE DeviceFileEvents with ActionType=FileDeleted for the history file path.
- Test 2Truncate PowerShell History via Clear-History and Set-Content
Expected signal: PowerShell process creation with Set-Content and Get-PSReadlineOption. Sysmon EventCode 11 (FileCreate) or EventCode 15 on the ConsoleHost_history.txt file (file write). MDE DeviceFileEvents with ActionType=FileModified targeting the PSReadLine history path.
- Test 3Clear Linux Bash History and Disable Future Recording
Expected signal: Shell process execution with history -c, rm ~/.bash_history in command arguments. Linux audit daemon EXECVE records for each command in the chain. DeviceFileEvents (if MDE Linux agent deployed) with FileDeleted for .bash_history. Process command line will include HISTSIZE=0 in environment modification.
References (5)
- https://attack.mitre.org/techniques/T1070/003/
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history
- https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics
- https://knowledge.broadcom.com/external/article/321910/auditing-esxi-shell-logins-and-commands.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md
Unlock Pro Content
Get the full detection package for T1070.003 including response playbook, investigation guide, and atomic red team tests.