Detect Clear Command History in CrowdStrike LogScale
Adversaries clear command history to conceal actions taken during an intrusion. On Windows, PowerShell maintains two history stores: the in-session history (cleared by Clear-History) and the PSReadLine history file at %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. Attackers may delete or truncate this file or use Remove-Item (Get-PSReadlineOption).HistorySavePath — the method used by Medusa Group ransomware. On Linux/macOS, history -c clears the in-memory history, HISTFILE= unsets the history file, and rm ~/.bash_history deletes the persistent record. Setting HISTSIZE=0 or HISTFILESIZE=0 prevents future history recording. TeamTNT, Aquatic Panda, APT41, Kobalos, and APT5 (ESXi) have all been observed clearing command history as post-exploitation cleanup.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Sub-technique
- T1070.003 Clear Command History
- Canonical reference
- https://attack.mitre.org/techniques/T1070/003/
LogScale Detection Query
// T1070.003 - Clear Command History Detection
// Covers: PowerShell PSReadLine manipulation, Linux history clearing, history file deletion
#event_simpleName = ProcessRollup2
| ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|\/(bash|sh|zsh|fish|rm|unlink|shred))$/
| CommandLine = /(?i)(ConsoleHost_history|PSReadLine|Get-PSReadlineOption|Clear-History|Remove-Item.*[Hh]istory|HistorySavePath|history\s+-[cw]|HISTFILE=|HISTSIZE=0|HISTFILESIZE=0|\.bash_history|\.zsh_history|\.ash_history|\.fish_history)/
| eval HistoryClearType = case(
ImageFileName = /(?i)(powershell\.exe|pwsh\.exe)/ AND CommandLine = /(?i)(ConsoleHost_history|PSReadLine|HistorySavePath)/,
"PowerShell PSReadLine File Manipulation",
ImageFileName = /(?i)(powershell\.exe|pwsh\.exe)/ AND CommandLine = /(?i)Clear-History/,
"PowerShell In-Session History Clear",
ImageFileName = /(?i)(powershell\.exe|pwsh\.exe)/ AND CommandLine = /(?i)Remove-Item.*[Hh]istory/,
"PowerShell Remove-Item History Deletion",
ImageFileName = /(?i)\/(bash|sh|zsh|fish)$/ AND CommandLine = /HISTFILE=|HISTSIZE=0|HISTFILESIZE=0/,
"Linux History Env Var Suppression",
ImageFileName = /(?i)\/(bash|sh|zsh|fish)$/ AND CommandLine = /history\s+-[cw]/,
"Linux Shell In-Memory History Clear",
ImageFileName = /(?i)\/(rm|unlink|shred)$/ AND CommandLine = /\.(bash|zsh|ash|fish)_history/,
"Linux History File Direct Deletion",
"Unknown History Clear Method"
)
| groupBy(
[ComputerName, UserName, FileName, CommandLine, HistoryClearType, ParentBaseFileName],
function=[
count(aid, as=EventCount),
min(timestamp, as=FirstSeen),
max(timestamp, as=LastSeen)
]
)
| sort(LastSeen, order=desc)
| limit 500Detects T1070.003 command history clearing using CrowdStrike Falcon ProcessRollup2 events via LogScale CQL. Identifies PowerShell PSReadLine file manipulation (including HistorySavePath access linked to Medusa Group), in-session Clear-History commands, Remove-Item targeting history files, Linux shell history clearing via history -c/-w, HISTFILE/HISTSIZE/HISTFILESIZE environment variable suppression, and direct deletion of shell history files. Results are aggregated by host, user, and clearing method.
Data Sources
Required Tables
False Positives & Tuning
- DevOps automation pipelines executing PowerShell with modified PSReadLine settings to suppress interactive history for non-human service accounts
- Linux administrators who include history clearing commands in logout scripts (e.g., /etc/profile.d/ or .bash_logout) as a legitimate privacy control on shared systems
- CrowdStrike RTR (Real Time Response) or remote management sessions that spawn shell processes with modified history settings for ephemeral administrative tasks
Other platforms for T1070.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Clear PowerShell PSReadLine History File
Expected signal: Sysmon EventCode 23 (FileDelete) targeting %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. PowerShell process creation event with Remove-Item and Get-PSReadlineOption in the command line. MDE DeviceFileEvents with ActionType=FileDeleted for the history file path.
- Test 2Truncate PowerShell History via Clear-History and Set-Content
Expected signal: PowerShell process creation with Set-Content and Get-PSReadlineOption. Sysmon EventCode 11 (FileCreate) or EventCode 15 on the ConsoleHost_history.txt file (file write). MDE DeviceFileEvents with ActionType=FileModified targeting the PSReadLine history path.
- Test 3Clear Linux Bash History and Disable Future Recording
Expected signal: Shell process execution with history -c, rm ~/.bash_history in command arguments. Linux audit daemon EXECVE records for each command in the chain. DeviceFileEvents (if MDE Linux agent deployed) with FileDeleted for .bash_history. Process command line will include HISTSIZE=0 in environment modification.
References (5)
- https://attack.mitre.org/techniques/T1070/003/
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history
- https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics
- https://knowledge.broadcom.com/external/article/321910/auditing-esxi-shell-logins-and-commands.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md
Unlock Pro Content
Get the full detection package for T1070.003 including response playbook, investigation guide, and atomic red team tests.