T1562.003 Google Chronicle · YARA-L

Detect Impair Command History Logging in Google Chronicle

Adversaries may impair command history logging to hide commands they run on a compromised system. On Linux and macOS, this involves manipulating HISTFILE, HISTFILESIZE, HISTSIZE, and HISTCONTROL environment variables, or redirecting history to /dev/null. On Windows, adversaries may modify PSReadLine settings to disable PowerShell command history. On network devices, adversaries may disable command logging entirely.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.003 Impair Command History Logging
Canonical reference
https://attack.mitre.org/techniques/T1562/003/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule impair_command_history_logging {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1562.003 - Impair Command History Logging. Adversaries manipulate shell history environment variables, delete/redirect history files, or modify PSReadLine settings to hide executed commands."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562.003"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.command_line, `(?i)unset\s+HISTFILE`) or
      re.regex($e.target.process.command_line, `(?i)HISTFILE=\/dev\/null`) or
      re.regex($e.target.process.command_line, `(?i)HISTFILESIZE=0`) or
      re.regex($e.target.process.command_line, `(?i)HISTSIZE=0`) or
      re.regex($e.target.process.command_line, `(?i)HISTCONTROL=(ignoreboth|ignorespace)`) or
      re.regex($e.target.process.command_line, `(?i)set\s+\+o\s+history`) or
      re.regex($e.target.process.command_line, `(?i)history\s+-c`) or
      re.regex($e.target.process.command_line, `(?i)history\s+-w\s+\/dev\/null`) or
      re.regex($e.target.process.command_line, `(?i)Set-PSReadline[Oo]ption.*SaveNothing`) or
      re.regex($e.target.process.command_line, `(?i)Set-PSReadLine[Oo]ption.*HistorySavePath`) or
      re.regex($e.target.process.command_line, `(?i)Remove-Item.*ConsoleHost_history`) or
      re.regex($e.target.process.command_line, `(?i)del.*ConsoleHost_history`) or
      (
        re.regex($e.target.process.command_line, `(?i)(rm\s+-[rf]+|truncate\s+-s\s+0|ln\s+-sf\s+/dev/null)`) and
        re.regex($e.target.process.command_line, `(?i)(bash_history|zsh_history|fish_history)`)
      )
    )

  condition:
    $e
}
medium severity high confidence

Chronicle YARA-L 2.0 rule detecting T1562.003 command history tampering. Matches process launch events where the command line contains known patterns for disabling or clearing shell history via environment variable manipulation, history file deletion, /dev/null redirection, or PowerShell PSReadLine configuration abuse. Uses UDM PROCESS_LAUNCH event type and regex matching against target.process.command_line.

Data Sources

Chronicle UDM (Unified Data Model) process eventsGoogle Workspace Chronicle ingestionVirusTotal Enterprise Chronicle integrationEndpoint EDR logs forwarded to Chronicle

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives & Tuning

  • Legitimate security hardening automation that configures HISTCONTROL=ignorespace as part of CIS benchmark Level 1 Linux baseline implementation across managed server fleets
  • Cloud-init or user-data scripts on AWS/GCP/Azure instances that unset HISTFILE during first-boot configuration to avoid recording bootstrap credentials in persistent shell history
  • Red team simulation platforms (Atomic Red Team, VECTR) running T1562.003 atomic tests in authorized purple team exercises
Download portable Sigma rule (.yml)

Other platforms for T1562.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Disable Bash History via HISTFILE

    Expected signal: Auditd execve record for the shell session showing 'unset HISTFILE'. Process creation event in MDE. No bash_history entries will be written for subsequent commands.

  2. Test 2Redirect History to /dev/null (BPFDoor Pattern)

    Expected signal: Auditd execve record. The process /proc/<PID>/environ will show HISTFILE=/dev/null.

  3. Test 3Disable PSReadLine History on Windows

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Set-PSReadlineOption'. PowerShell ScriptBlock Log Event ID 4104.

Last updated: 2026-04-21 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1562.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1070.003Clear Command HistoryT1562.002Disable Windows Event LoggingT1562.012Disable or Modify Linux Audit SystemT1059.004Unix ShellT1059.001PowerShell

Same Tactic: Defense Evasion

Popular Detections