T1562.003 Impair Command History Logging Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let HistoryTampering = dynamic(["unset HISTFILE", "export HISTFILE=/dev/null", "export HISTFILESIZE=0", "export HISTSIZE=0", "HISTCONTROL=ignoreboth", "HISTCONTROL=ignorespace", "set +o history", "history -c", "history -w /dev/null", "rm -f ~/.bash_history", "truncate -s 0", "ln -sf /dev/null", "Set-PSReadlineOption -HistorySaveStyle SaveNothing", "Set-PSReadLineOption -HistorySavePath", "Remove-Item*ConsoleHost_history.txt", "del*ConsoleHost_history.txt"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (HistoryTampering)
| extend Platform = case(
    ProcessCommandLine has_any ("PSReadline", "ConsoleHost_history"), "Windows",
    ProcessCommandLine has_any ("HISTFILE", "bash_history", "history -c", "set +o history"), "Linux/macOS",
    "Unknown")
| extend TamperMethod = case(
    ProcessCommandLine has "unset HISTFILE" or ProcessCommandLine has "HISTFILE=/dev/null", "HISTFILE Disabled",
    ProcessCommandLine has "HISTFILESIZE=0" or ProcessCommandLine has "HISTSIZE=0", "History Size Zeroed",
    ProcessCommandLine has "HISTCONTROL", "HISTCONTROL Modified",
    ProcessCommandLine has "history -c", "History Cleared",
    ProcessCommandLine has "set +o history", "History Disabled",
    ProcessCommandLine has "rm" or ProcessCommandLine has "truncate" or ProcessCommandLine has "ln -sf /dev/null", "History File Deleted/Redirected",
    ProcessCommandLine has "SaveNothing", "PSReadLine Disabled",
    ProcessCommandLine has "HistorySavePath", "PSReadLine Redirected",
    ProcessCommandLine has "ConsoleHost_history", "PS History File Deleted",
    "Other")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, Platform, TamperMethod, InitiatingProcessFileName
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sensor Health: Host Status

Required Tables

DeviceProcessEvents

False Positives

Developers or sysadmins who habitually set HISTCONTROL=ignorespace for convenience when typing sensitive commands (e.g., inline passwords)
Automated provisioning or hardening scripts that configure shell history settings as part of baseline configuration
Docker container entrypoint scripts that disable history logging in ephemeral environments

Splunk

spl

(index=linux sourcetype=syslog OR sourcetype=audit
  ("unset HISTFILE" OR "HISTFILE=/dev/null" OR "HISTFILESIZE=0" OR "HISTSIZE=0" OR "HISTCONTROL=ignoreboth" OR "HISTCONTROL=ignorespace" OR "set +o history" OR "history -c" OR "rm -f ~/.bash_history" OR "rm ~/.bash_history" OR "ln -sf /dev/null" OR "MYSQL_HISTFILE"))
OR
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (CommandLine="*Set-PSReadlineOption*SaveNothing*" OR CommandLine="*Set-PSReadLineOption*HistorySavePath*" OR CommandLine="*Remove-Item*ConsoleHost_history*" OR CommandLine="*del*ConsoleHost_history*"))
| eval Platform=case(
    sourcetype=="syslog" OR sourcetype=="audit", "Linux/macOS",
    match(sourcetype, "Sysmon"), "Windows",
    true(), "Unknown")
| eval TamperMethod=case(
    match(_raw, "(?i)unset HISTFILE|HISTFILE=/dev/null"), "HISTFILE Disabled",
    match(_raw, "(?i)HISTFILESIZE=0|HISTSIZE=0"), "History Size Zeroed",
    match(_raw, "(?i)HISTCONTROL"), "HISTCONTROL Modified",
    match(_raw, "(?i)history -c"), "History Cleared",
    match(_raw, "(?i)set \+o history"), "History Disabled",
    match(_raw, "(?i)SaveNothing"), "PSReadLine Disabled",
    match(_raw, "(?i)HistorySavePath"), "PSReadLine Redirected",
    true(), "Other")
| table _time, host, User, Platform, TamperMethod, _raw
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Linux Syslog Linux Auditd

Required Sourcetypes

syslog audit XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Developers or sysadmins who habitually set HISTCONTROL=ignorespace for convenience when typing sensitive commands
Automated provisioning or hardening scripts that configure shell history settings as part of baseline configuration
Docker container entrypoint scripts that disable history logging in ephemeral environments

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.args : ("unset HISTFILE", "HISTFILE=/dev/null", "HISTFILESIZE=0", "HISTSIZE=0",
                  "HISTCONTROL=ignoreboth", "HISTCONTROL=ignorespace", "set +o history",
                  "history -c", "history -w /dev/null", "MYSQL_HISTFILE=/dev/null") or
  process.command_line : ("*unset HISTFILE*", "*HISTFILE=/dev/null*", "*HISTFILESIZE=0*",
                           "*HISTSIZE=0*", "*HISTCONTROL=ignoreboth*", "*HISTCONTROL=ignorespace*",
                           "*set +o history*", "*history -c*", "*history -w /dev/null*",
                           "*Set-PSReadlineOption*SaveNothing*", "*Set-PSReadLineOption*HistorySavePath*",
                           "*Remove-Item*ConsoleHost_history*", "*del*ConsoleHost_history*") or
  (process.name in ("rm", "truncate", "ln") and
   process.args : ("*bash_history*", "*fish_history*", "*.zsh_history*", "*/dev/null*"))
)

medium severity high confidence

Data Sources

Endpoint logs Auditd Sysmon for Linux Windows Sysmon

Required Tables

logs-endpoint.events.process-* logs-system.syslog-* winlogbeat-*

False Positives

Security baseline hardening scripts that set HISTCONTROL=ignorespace to suppress sensitive commands containing passwords from being stored
Container entrypoint scripts and CI/CD pipeline agents that clear history as part of ephemeral environment teardown or cleanup routines
Legitimate admin scripts that redirect history to /dev/null during automated provisioning to prevent credential leakage into shell history files

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS category_name,
  "CommandLine",
  CASE
    WHEN "CommandLine" ILIKE '%unset HISTFILE%' OR "CommandLine" ILIKE '%HISTFILE=/dev/null%' THEN 'HISTFILE Disabled'
    WHEN "CommandLine" ILIKE '%HISTFILESIZE=0%' OR "CommandLine" ILIKE '%HISTSIZE=0%' THEN 'History Size Zeroed'
    WHEN "CommandLine" ILIKE '%HISTCONTROL%' THEN 'HISTCONTROL Modified'
    WHEN "CommandLine" ILIKE '%history -c%' THEN 'History Cleared'
    WHEN "CommandLine" ILIKE '%set +o history%' THEN 'History Disabled'
    WHEN "CommandLine" ILIKE '%SaveNothing%' OR "CommandLine" ILIKE '%HistorySavePath%' THEN 'PSReadLine Tampered'
    WHEN "CommandLine" ILIKE '%ConsoleHost_history%' THEN 'PS History File Deleted'
    WHEN "CommandLine" ILIKE '%bash_history%' AND ("CommandLine" ILIKE '%rm %' OR "CommandLine" ILIKE '%truncate%' OR "CommandLine" ILIKE '%ln -sf%') THEN 'History File Deleted'
    ELSE 'Other'
  END AS tamper_method,
  CASE
    WHEN LOGSOURCETYPEID(logsourceid) = 12 THEN 'Windows'
    WHEN LOGSOURCETYPEID(logsourceid) IN (71, 233, 352) THEN 'Linux/macOS'
    ELSE 'Unknown'
  END AS platform
FROM events
WHERE
  starttime > NOW() - 1 DAYS
  AND (
    "CommandLine" ILIKE '%unset HISTFILE%'
    OR "CommandLine" ILIKE '%HISTFILE=/dev/null%'
    OR "CommandLine" ILIKE '%HISTFILESIZE=0%'
    OR "CommandLine" ILIKE '%HISTSIZE=0%'
    OR "CommandLine" ILIKE '%HISTCONTROL=ignoreboth%'
    OR "CommandLine" ILIKE '%HISTCONTROL=ignorespace%'
    OR "CommandLine" ILIKE '%set +o history%'
    OR "CommandLine" ILIKE '%history -c%'
    OR "CommandLine" ILIKE '%history -w /dev/null%'
    OR "CommandLine" ILIKE '%Set-PSReadlineOption%SaveNothing%'
    OR "CommandLine" ILIKE '%Set-PSReadLineOption%HistorySavePath%'
    OR "CommandLine" ILIKE '%Remove-Item%ConsoleHost_history%'
    OR "CommandLine" ILIKE '%del%ConsoleHost_history%'
    OR ("CommandLine" ILIKE '%bash_history%'
        AND ("CommandLine" ILIKE '%rm -%' OR "CommandLine" ILIKE '%truncate -s 0%' OR "CommandLine" ILIKE '%ln -sf /dev/null%'))
  )
ORDER BY starttime DESC

medium severity medium confidence

Data Sources

Sysmon for Windows (via WinCollect or DSM) Linux auditd via QRadar DSM CrowdStrike Falcon via QRadar app Carbon Black via QRadar DSM

Required Tables

events

False Positives

Automated infrastructure-as-code tools (Ansible, Chef, Puppet) that set HISTCONTROL=ignorespace to avoid recording plaintext credentials passed as command arguments during provisioning
Docker container initialization scripts that clear or redirect bash history as part of image build or ephemeral container startup to reduce attack surface
Security teams running STIG compliance enforcement scripts that modify history settings as part of baseline hardening on managed Linux hosts

Sumo Logic CSE

sql

(_sourceCategory=*linux* OR _sourceCategory=*syslog* OR _sourceCategory=*audit* OR _sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where (
    (%"CommandLine" matches "*unset HISTFILE*"
    OR %"CommandLine" matches "*HISTFILE=/dev/null*"
    OR %"CommandLine" matches "*HISTFILESIZE=0*"
    OR %"CommandLine" matches "*HISTSIZE=0*"
    OR %"CommandLine" matches "*HISTCONTROL=ignoreboth*"
    OR %"CommandLine" matches "*HISTCONTROL=ignorespace*"
    OR %"CommandLine" matches "*set +o history*"
    OR %"CommandLine" matches "*history -c*"
    OR %"CommandLine" matches "*history -w /dev/null*"
    OR %"CommandLine" matches "*Set-PSReadlineOption*SaveNothing*"
    OR %"CommandLine" matches "*Set-PSReadLineOption*HistorySavePath*"
    OR %"CommandLine" matches "*Remove-Item*ConsoleHost_history*"
    OR %"CommandLine" matches "*del*ConsoleHost_history*")
  OR (
    (%"CommandLine" matches "*rm *" OR %"CommandLine" matches "*truncate*" OR %"CommandLine" matches "*ln -sf*")
    AND (%"CommandLine" matches "*bash_history*" OR %"CommandLine" matches "*zsh_history*" OR %"CommandLine" matches "*fish_history*")
  )
)
| if (_sourceCategory matches "*linux*" OR _sourceCategory matches "*syslog*" OR _sourceCategory matches "*audit*", "Linux/macOS",
     if (_sourceCategory matches "*windows*" OR _sourceCategory matches "*sysmon*", "Windows", "Unknown")) as platform
| if (%"CommandLine" matches "*unset HISTFILE*" OR %"CommandLine" matches "*HISTFILE=/dev/null*", "HISTFILE Disabled",
     if (%"CommandLine" matches "*HISTFILESIZE=0*" OR %"CommandLine" matches "*HISTSIZE=0*", "History Size Zeroed",
     if (%"CommandLine" matches "*HISTCONTROL*", "HISTCONTROL Modified",
     if (%"CommandLine" matches "*history -c*", "History Cleared",
     if (%"CommandLine" matches "*set +o history*", "History Disabled",
     if (%"CommandLine" matches "*SaveNothing*" OR %"CommandLine" matches "*HistorySavePath*", "PSReadLine Tampered",
     if (%"CommandLine" matches "*ConsoleHost_history*", "PS History File Deleted",
     if (%"CommandLine" matches "*bash_history*", "History File Manipulated", "Other")))))))) as tamper_method
| fields _messageTime, %host, %user, platform, tamper_method, %"CommandLine"
| sort by _messageTime desc

medium severity medium confidence

Data Sources

Linux syslog/auditd forwarded to Sumo Logic Windows Sysmon via Sumo Logic collector Sumo Logic CSE normalized process events

Required Tables

Syslog source category Sysmon source category CSE Normalized Events

False Positives

DevOps pipeline agents (Jenkins, GitLab runners, GitHub Actions self-hosted) that disable history recording in their shell wrapper scripts to prevent leaking tokens or credentials into persistent log files
System administrators using set +o history interactively when manually entering passwords or API keys during maintenance windows, then re-enabling with set -o history
Containerized workloads with entrypoint scripts that explicitly unset HISTFILE to reduce artifact footprint in ephemeral environments where persistence is undesirable

Google Chronicle / SecOps

yaral

rule impair_command_history_logging {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1562.003 - Impair Command History Logging. Adversaries manipulate shell history environment variables, delete/redirect history files, or modify PSReadLine settings to hide executed commands."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562.003"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.command_line, `(?i)unset\s+HISTFILE`) or
      re.regex($e.target.process.command_line, `(?i)HISTFILE=\/dev\/null`) or
      re.regex($e.target.process.command_line, `(?i)HISTFILESIZE=0`) or
      re.regex($e.target.process.command_line, `(?i)HISTSIZE=0`) or
      re.regex($e.target.process.command_line, `(?i)HISTCONTROL=(ignoreboth|ignorespace)`) or
      re.regex($e.target.process.command_line, `(?i)set\s+\+o\s+history`) or
      re.regex($e.target.process.command_line, `(?i)history\s+-c`) or
      re.regex($e.target.process.command_line, `(?i)history\s+-w\s+\/dev\/null`) or
      re.regex($e.target.process.command_line, `(?i)Set-PSReadline[Oo]ption.*SaveNothing`) or
      re.regex($e.target.process.command_line, `(?i)Set-PSReadLine[Oo]ption.*HistorySavePath`) or
      re.regex($e.target.process.command_line, `(?i)Remove-Item.*ConsoleHost_history`) or
      re.regex($e.target.process.command_line, `(?i)del.*ConsoleHost_history`) or
      (
        re.regex($e.target.process.command_line, `(?i)(rm\s+-[rf]+|truncate\s+-s\s+0|ln\s+-sf\s+/dev/null)`) and
        re.regex($e.target.process.command_line, `(?i)(bash_history|zsh_history|fish_history)`)
      )
    )

  condition:
    $e
}

medium severity high confidence

Data Sources

Chronicle UDM (Unified Data Model) process events Google Workspace Chronicle ingestion VirusTotal Enterprise Chronicle integration Endpoint EDR logs forwarded to Chronicle

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Legitimate security hardening automation that configures HISTCONTROL=ignorespace as part of CIS benchmark Level 1 Linux baseline implementation across managed server fleets
Cloud-init or user-data scripts on AWS/GCP/Azure instances that unset HISTFILE during first-boot configuration to avoid recording bootstrap credentials in persistent shell history
Red team simulation platforms (Atomic Red Team, VECTR) running T1562.003 atomic tests in authorized purple team exercises

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| CommandLine = /(?i)(unset\s+HISTFILE|HISTFILE=\/dev\/null|HISTFILESIZE=0|HISTSIZE=0|HISTCONTROL=(ignoreboth|ignorespace)|set\s+\+o\s+history|history\s+-c|history\s+-w\s+\/dev\/null|Set-PSReadline[Oo]ption.*SaveNothing|Set-PSReadLine[Oo]ption.*HistorySavePath|Remove-Item.*ConsoleHost_history|del.*ConsoleHost_history)/
  OR (CommandLine = /(?i)(rm\s+-[rf]+|truncate\s+-s\s+0|ln\s+-sf\s+\/dev\/null)/ AND CommandLine = /(?i)(bash_history|zsh_history|fish_history)/)
| case {
    CommandLine = /(?i)unset\s+HISTFILE|HISTFILE=\/dev\/null/ | TamperMethod := "HISTFILE Disabled";
    CommandLine = /(?i)HISTFILESIZE=0|HISTSIZE=0/ | TamperMethod := "History Size Zeroed";
    CommandLine = /(?i)HISTCONTROL/ | TamperMethod := "HISTCONTROL Modified";
    CommandLine = /(?i)history\s+-c/ | TamperMethod := "History Cleared";
    CommandLine = /(?i)set\s+\+o\s+history/ | TamperMethod := "History Disabled";
    CommandLine = /(?i)SaveNothing|HistorySavePath/ | TamperMethod := "PSReadLine Tampered";
    CommandLine = /(?i)ConsoleHost_history/ | TamperMethod := "PS History File Deleted";
    CommandLine = /(?i)(bash_history|zsh_history|fish_history)/ | TamperMethod := "History File Manipulated";
    * | TamperMethod := "Other";
  }
| case {
    CommandLine = /(?i)(PSReadline|ConsoleHost_history)/ | Platform := "Windows";
    CommandLine = /(?i)(HISTFILE|bash_history|history -c|set \+o history)/ | Platform := "Linux/macOS";
    * | Platform := "Unknown";
  }
| table([timestamp, ComputerName, UserName, FileName, CommandLine, TamperMethod, Platform, ParentBaseFileName])
| sort(timestamp, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2 events) Falcon Insight XDR process telemetry

Required Tables

ProcessRollup2

False Positives

Falcon sensor deployment scripts and CrowdStrike-managed scripts that clear shell history as part of sensor installation or upgrade procedures on Linux endpoints
Vulnerability scanners and compliance tools (Tenable, Qualys) running authenticated checks that invoke history manipulation as part of their Linux assessment modules
Developer workstations where engineers manually run history -c or set +o history before pasting multi-line secrets or API tokens into terminal sessions during local development

Impair Command History Logging

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections