T1070.003 Sumo Logic CSE · Sumo

Detect Clear Command History in Sumo Logic CSE

Adversaries clear command history to conceal actions taken during an intrusion. On Windows, PowerShell maintains two history stores: the in-session history (cleared by Clear-History) and the PSReadLine history file at %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. Attackers may delete or truncate this file or use Remove-Item (Get-PSReadlineOption).HistorySavePath — the method used by Medusa Group ransomware. On Linux/macOS, history -c clears the in-memory history, HISTFILE= unsets the history file, and rm ~/.bash_history deletes the persistent record. Setting HISTSIZE=0 or HISTFILESIZE=0 prevents future history recording. TeamTNT, Aquatic Panda, APT41, Kobalos, and APT5 (ESXi) have all been observed clearing command history as post-exploitation cleanup.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1070 Indicator Removal
Sub-technique
T1070.003 Clear Command History
Canonical reference
https://attack.mitre.org/techniques/T1070/003/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows*sysmon* OR _sourceCategory=*linux*audit* OR _sourceCategory=*endpoint*)
| parse "EventCode=*" as event_code nodrop
| parse "Image=*\n" as process_image nodrop
| parse "CommandLine=*\n" as command_line nodrop
| parse "User=*\n" as user nodrop
| parse "Computer=*\n" as computer nodrop
| parse "type=* " as audit_type nodrop
| parse "exe=\"*\"" as exe nodrop
| parse "a0=\"*\"" as a0 nodrop
| parse "a1=\"*\"" as a1 nodrop
| parse "a2=\"*\"" as a2 nodrop
| where event_code = "1" OR audit_type = "EXECVE"
| where (
    /* PowerShell PSReadLine manipulation */
    (
      (process_image matches "*powershell.exe" OR process_image matches "*pwsh.exe")
      AND (
        toLowerCase(command_line) matches "*consolehost_history*"
        OR toLowerCase(command_line) matches "*psreadline*"
        OR toLowerCase(command_line) matches "*get-psreadlineoption*"
        OR toLowerCase(command_line) matches "*clear-history*"
        OR (toLowerCase(command_line) matches "*remove-item*" AND toLowerCase(command_line) matches "*history*")
      )
    )
    /* Linux shell history clearing */
    OR (
      (exe matches "*/bash" OR exe matches "*/sh" OR exe matches "*/zsh" OR exe matches "*/fish"
       OR a0 matches "bash" OR a0 matches "sh" OR a0 matches "zsh")
      AND (
        (a1 matches "*history*" AND a2 = "-c")
        OR toLowerCase(a1) matches "*histfile=*"
        OR toLowerCase(a1) matches "*histsize=0*"
        OR (a1 matches "*rm*" AND (a2 matches "*bash_history*" OR a2 matches "*zsh_history*"))
      )
    )
    /* Direct deletion of history files */
    OR (
      (exe matches "*/rm" OR exe matches "*/unlink" OR exe matches "*/shred")
      AND (
        a1 matches "*.bash_history*"
        OR a1 matches "*.zsh_history*"
        OR a1 matches "*.ash_history*"
        OR a1 matches "*.fish_history*"
      )
    )
  )
| if (!isNull(process_image), process_image, exe) as process_name
| if (!isNull(command_line), command_line, concat(a0, " ", a1, " ", a2)) as full_command
| if (!isNull(user), user, toString(auid)) as actor
| eval history_clear_type = if(
    toLowerCase(full_command) matches "*consolehost_history*" OR toLowerCase(full_command) matches "*psreadline*",
    "PowerShell PSReadLine",
    if(
      toLowerCase(full_command) matches "*histfile=*" OR toLowerCase(full_command) matches "*histsize=0*",
      "History Suppression via Env Var",
      if(
        toLowerCase(full_command) matches "*history -c*",
        "Shell In-Memory Clear",
        "History File Deletion"
      )
    )
  )
| fields _messagetime, computer, actor, process_name, full_command, history_clear_type
| sort by _messagetime desc
| limit 500
high severity medium confidence

Detects T1070.003 command history clearing using Sumo Logic CSE across Windows Sysmon process events and Linux auditd EXECVE records. Identifies PowerShell PSReadLine manipulation, in-memory shell history clearing (history -c), environment variable-based history suppression (HISTFILE=, HISTSIZE=0, HISTFILESIZE=0), and direct deletion of shell history files.

Data Sources

Windows Sysmon via Sumo Logic Windows AppLinux auditd via Sumo Logic Linux AppSumo Logic CSE Normalized Records

Required Tables

_sourceCategory=*windows*sysmon*_sourceCategory=*linux*audit*

False Positives & Tuning

  • IT operations teams running standardized shell profile scripts that set HISTSIZE=0 for shared service accounts to prevent credential leakage in history files
  • Red team or penetration testing activities during authorized engagements where history clearing is intentional tradecraft
  • Container or ephemeral workload initialization scripts that configure shell environments without persistent history
Download portable Sigma rule (.yml)

Other platforms for T1070.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Clear PowerShell PSReadLine History File

    Expected signal: Sysmon EventCode 23 (FileDelete) targeting %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. PowerShell process creation event with Remove-Item and Get-PSReadlineOption in the command line. MDE DeviceFileEvents with ActionType=FileDeleted for the history file path.

  2. Test 2Truncate PowerShell History via Clear-History and Set-Content

    Expected signal: PowerShell process creation with Set-Content and Get-PSReadlineOption. Sysmon EventCode 11 (FileCreate) or EventCode 15 on the ConsoleHost_history.txt file (file write). MDE DeviceFileEvents with ActionType=FileModified targeting the PSReadLine history path.

  3. Test 3Clear Linux Bash History and Disable Future Recording

    Expected signal: Shell process execution with history -c, rm ~/.bash_history in command arguments. Linux audit daemon EXECVE records for each command in the chain. DeviceFileEvents (if MDE Linux agent deployed) with FileDeleted for .bash_history. Process command line will include HISTSIZE=0 in environment modification.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1070.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1070Indicator Removal

Related Sub-techniques

T1070.001Clear Windows Event LogsT1070.002Clear Linux or Mac System LogsT1070.004File DeletionT1070.005Network Share Connection RemovalT1070.006TimestompT1070.007Clear Network Connection History and ConfigurationsT1070.008Clear Mailbox DataT1070.009Clear PersistenceT1070.010Relocate Malware

Related Techniques

T1070.001Clear Windows Event LogsT1070.002Clear Linux or Mac System LogsT1059.001PowerShellT1059.004Unix ShellT1021.004SSHT1562.002Disable Windows Event Logging

Same Tactic: Defense Evasion

Popular Detections