Detect Impair Command History Logging in Elastic Security
Adversaries may impair command history logging to hide commands they run on a compromised system. On Linux and macOS, this involves manipulating HISTFILE, HISTFILESIZE, HISTSIZE, and HISTCONTROL environment variables, or redirecting history to /dev/null. On Windows, adversaries may modify PSReadLine settings to disable PowerShell command history. On network devices, adversaries may disable command logging entirely.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.003 Impair Command History Logging
- Canonical reference
- https://attack.mitre.org/techniques/T1562/003/
Elastic Detection Query
process where event.type == "start" and (
process.args : ("unset HISTFILE", "HISTFILE=/dev/null", "HISTFILESIZE=0", "HISTSIZE=0",
"HISTCONTROL=ignoreboth", "HISTCONTROL=ignorespace", "set +o history",
"history -c", "history -w /dev/null", "MYSQL_HISTFILE=/dev/null") or
process.command_line : ("*unset HISTFILE*", "*HISTFILE=/dev/null*", "*HISTFILESIZE=0*",
"*HISTSIZE=0*", "*HISTCONTROL=ignoreboth*", "*HISTCONTROL=ignorespace*",
"*set +o history*", "*history -c*", "*history -w /dev/null*",
"*Set-PSReadlineOption*SaveNothing*", "*Set-PSReadLineOption*HistorySavePath*",
"*Remove-Item*ConsoleHost_history*", "*del*ConsoleHost_history*") or
(process.name in ("rm", "truncate", "ln") and
process.args : ("*bash_history*", "*fish_history*", "*.zsh_history*", "*/dev/null*"))
)Detects attempts to impair command history logging on Linux, macOS, and Windows systems. Covers manipulation of HISTFILE, HISTFILESIZE, HISTSIZE, and HISTCONTROL environment variables, deletion or redirection of history files to /dev/null, and PSReadLine configuration changes that suppress PowerShell command history.
Data Sources
Required Tables
False Positives & Tuning
- Security baseline hardening scripts that set HISTCONTROL=ignorespace to suppress sensitive commands containing passwords from being stored
- Container entrypoint scripts and CI/CD pipeline agents that clear history as part of ephemeral environment teardown or cleanup routines
- Legitimate admin scripts that redirect history to /dev/null during automated provisioning to prevent credential leakage into shell history files
Other platforms for T1562.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Disable Bash History via HISTFILE
Expected signal: Auditd execve record for the shell session showing 'unset HISTFILE'. Process creation event in MDE. No bash_history entries will be written for subsequent commands.
- Test 2Redirect History to /dev/null (BPFDoor Pattern)
Expected signal: Auditd execve record. The process /proc/<PID>/environ will show HISTFILE=/dev/null.
- Test 3Disable PSReadLine History on Windows
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Set-PSReadlineOption'. PowerShell ScriptBlock Log Event ID 4104.
References (5)
- https://attack.mitre.org/techniques/T1562/003/
- https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
- https://www.cisa.gov/sites/default/files/publications/AA20-239A_Joint_Advisory.pdf
- https://learn.microsoft.com/en-us/powershell/module/psreadline/set-psreadlineoption
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md
Unlock Pro Content
Get the full detection package for T1562.003 including response playbook, investigation guide, and atomic red team tests.