T1562.003 CrowdStrike LogScale · LogScale

Detect Impair Command History Logging in CrowdStrike LogScale

Adversaries may impair command history logging to hide commands they run on a compromised system. On Linux and macOS, this involves manipulating HISTFILE, HISTFILESIZE, HISTSIZE, and HISTCONTROL environment variables, or redirecting history to /dev/null. On Windows, adversaries may modify PSReadLine settings to disable PowerShell command history. On network devices, adversaries may disable command logging entirely.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.003 Impair Command History Logging
Canonical reference
https://attack.mitre.org/techniques/T1562/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| CommandLine = /(?i)(unset\s+HISTFILE|HISTFILE=\/dev\/null|HISTFILESIZE=0|HISTSIZE=0|HISTCONTROL=(ignoreboth|ignorespace)|set\s+\+o\s+history|history\s+-c|history\s+-w\s+\/dev\/null|Set-PSReadline[Oo]ption.*SaveNothing|Set-PSReadLine[Oo]ption.*HistorySavePath|Remove-Item.*ConsoleHost_history|del.*ConsoleHost_history)/
  OR (CommandLine = /(?i)(rm\s+-[rf]+|truncate\s+-s\s+0|ln\s+-sf\s+\/dev\/null)/ AND CommandLine = /(?i)(bash_history|zsh_history|fish_history)/)
| case {
    CommandLine = /(?i)unset\s+HISTFILE|HISTFILE=\/dev\/null/ | TamperMethod := "HISTFILE Disabled";
    CommandLine = /(?i)HISTFILESIZE=0|HISTSIZE=0/ | TamperMethod := "History Size Zeroed";
    CommandLine = /(?i)HISTCONTROL/ | TamperMethod := "HISTCONTROL Modified";
    CommandLine = /(?i)history\s+-c/ | TamperMethod := "History Cleared";
    CommandLine = /(?i)set\s+\+o\s+history/ | TamperMethod := "History Disabled";
    CommandLine = /(?i)SaveNothing|HistorySavePath/ | TamperMethod := "PSReadLine Tampered";
    CommandLine = /(?i)ConsoleHost_history/ | TamperMethod := "PS History File Deleted";
    CommandLine = /(?i)(bash_history|zsh_history|fish_history)/ | TamperMethod := "History File Manipulated";
    * | TamperMethod := "Other";
  }
| case {
    CommandLine = /(?i)(PSReadline|ConsoleHost_history)/ | Platform := "Windows";
    CommandLine = /(?i)(HISTFILE|bash_history|history -c|set \+o history)/ | Platform := "Linux/macOS";
    * | Platform := "Unknown";
  }
| table([timestamp, ComputerName, UserName, FileName, CommandLine, TamperMethod, Platform, ParentBaseFileName])
| sort(timestamp, order=desc)
medium severity high confidence

CrowdStrike LogScale CQL query detecting T1562.003 impairment of command history logging. Queries ProcessRollup2 events for shell and PowerShell commands that disable, clear, redirect, or delete command history. Classifies events by tamper method and platform to support triage. Covers HISTFILE/HISTSIZE/HISTCONTROL manipulation on Linux/macOS and PSReadLine abuse on Windows.

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2 events)Falcon Insight XDR process telemetry

Required Tables

ProcessRollup2

False Positives & Tuning

  • Falcon sensor deployment scripts and CrowdStrike-managed scripts that clear shell history as part of sensor installation or upgrade procedures on Linux endpoints
  • Vulnerability scanners and compliance tools (Tenable, Qualys) running authenticated checks that invoke history manipulation as part of their Linux assessment modules
  • Developer workstations where engineers manually run history -c or set +o history before pasting multi-line secrets or API tokens into terminal sessions during local development
Download portable Sigma rule (.yml)

Other platforms for T1562.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Disable Bash History via HISTFILE

    Expected signal: Auditd execve record for the shell session showing 'unset HISTFILE'. Process creation event in MDE. No bash_history entries will be written for subsequent commands.

  2. Test 2Redirect History to /dev/null (BPFDoor Pattern)

    Expected signal: Auditd execve record. The process /proc/<PID>/environ will show HISTFILE=/dev/null.

  3. Test 3Disable PSReadLine History on Windows

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Set-PSReadlineOption'. PowerShell ScriptBlock Log Event ID 4104.

Last updated: 2026-04-21 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1562.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1070.003Clear Command HistoryT1562.002Disable Windows Event LoggingT1562.012Disable or Modify Linux Audit SystemT1059.004Unix ShellT1059.001PowerShell

Same Tactic: Defense Evasion

Popular Detections