T1070.003 Splunk · SPL

Detect Clear Command History in Splunk

Adversaries clear command history to conceal actions taken during an intrusion. On Windows, PowerShell maintains two history stores: the in-session history (cleared by Clear-History) and the PSReadLine history file at %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. Attackers may delete or truncate this file or use Remove-Item (Get-PSReadlineOption).HistorySavePath — the method used by Medusa Group ransomware. On Linux/macOS, history -c clears the in-memory history, HISTFILE= unsets the history file, and rm ~/.bash_history deletes the persistent record. Setting HISTSIZE=0 or HISTFILESIZE=0 prevents future history recording. TeamTNT, Aquatic Panda, APT41, Kobalos, and APT5 (ESXi) have all been observed clearing command history as post-exploitation cleanup.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1070 Indicator Removal
Sub-technique
T1070.003 Clear Command History
Canonical reference
https://attack.mitre.org/techniques/T1070/003/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| where (Image like "%powershell.exe" OR Image like "%pwsh.exe")
  AND (CommandLine like "%ConsoleHost_history%" OR CommandLine like "%PSReadLine%"
       OR CommandLine like "%Get-PSReadlineOption%" OR CommandLine like "%Clear-History%"
       OR match(CommandLine, "Remove-Item.*history"))
| eval HistoryClearType="PowerShell PSReadLine History"
| table _time, host, User, Image, CommandLine, ParentImage, HistoryClearType
| sort - _time
| append [
    search index=linux_audit (type=EXECVE OR type=SYSCALL)
    | where (a0="bash" OR a0="sh" OR a0="zsh")
      AND (match(a1, "history.*-c") OR match(a2, "HISTFILE=") OR match(a2, "HISTSIZE=0")
           OR (match(a1, "rm") AND (match(a2, "bash_history") OR match(a2, "zsh_history"))))
    | eval HistoryClearType="Linux Shell History Clear"
    | table _time, host, auid, a0, a1, a2, HistoryClearType
]
| sort - _time
medium severity medium confidence

Detects PowerShell history clearing on Windows via Sysmon EventCode 1 (process creation), targeting commands that reference PSReadLine history files, Clear-History cmdlet, or Remove-Item against history paths. Also detects Linux bash history clearing via audit daemon EXECVE events for shell commands using history -c or rm .bash_history. The union approach provides cross-platform coverage.

Data Sources

Process: Process CreationSysmon Event ID 1Linux Audit Daemon: EXECVE

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operationallinux_audit

False Positives & Tuning

  • PowerShell profiles that run Clear-History on session start for privacy-conscious users
  • Service account shells configured with HISTSIZE=0 in /etc/profile.d/ for security compliance
  • Log rotation scripts that periodically clear user history files
  • IR tools that wipe history files as part of evidence preservation workflows on remediated hosts
Download portable Sigma rule (.yml)

Other platforms for T1070.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Clear PowerShell PSReadLine History File

    Expected signal: Sysmon EventCode 23 (FileDelete) targeting %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. PowerShell process creation event with Remove-Item and Get-PSReadlineOption in the command line. MDE DeviceFileEvents with ActionType=FileDeleted for the history file path.

  2. Test 2Truncate PowerShell History via Clear-History and Set-Content

    Expected signal: PowerShell process creation with Set-Content and Get-PSReadlineOption. Sysmon EventCode 11 (FileCreate) or EventCode 15 on the ConsoleHost_history.txt file (file write). MDE DeviceFileEvents with ActionType=FileModified targeting the PSReadLine history path.

  3. Test 3Clear Linux Bash History and Disable Future Recording

    Expected signal: Shell process execution with history -c, rm ~/.bash_history in command arguments. Linux audit daemon EXECVE records for each command in the chain. DeviceFileEvents (if MDE Linux agent deployed) with FileDeleted for .bash_history. Process command line will include HISTSIZE=0 in environment modification.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1070.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1070Indicator Removal

Related Sub-techniques

T1070.001Clear Windows Event LogsT1070.002Clear Linux or Mac System LogsT1070.004File DeletionT1070.005Network Share Connection RemovalT1070.006TimestompT1070.007Clear Network Connection History and ConfigurationsT1070.008Clear Mailbox DataT1070.009Clear PersistenceT1070.010Relocate Malware

Related Techniques

T1070.001Clear Windows Event LogsT1070.002Clear Linux or Mac System LogsT1059.001PowerShellT1059.004Unix ShellT1021.004SSHT1562.002Disable Windows Event Logging

Same Tactic: Defense Evasion

Popular Detections