T1562.003 IBM QRadar · QRadar

Detect Impair Command History Logging in IBM QRadar

Adversaries may impair command history logging to hide commands they run on a compromised system. On Linux and macOS, this involves manipulating HISTFILE, HISTFILESIZE, HISTSIZE, and HISTCONTROL environment variables, or redirecting history to /dev/null. On Windows, adversaries may modify PSReadLine settings to disable PowerShell command history. On network devices, adversaries may disable command logging entirely.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.003 Impair Command History Logging
Canonical reference
https://attack.mitre.org/techniques/T1562/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS category_name,
  "CommandLine",
  CASE
    WHEN "CommandLine" ILIKE '%unset HISTFILE%' OR "CommandLine" ILIKE '%HISTFILE=/dev/null%' THEN 'HISTFILE Disabled'
    WHEN "CommandLine" ILIKE '%HISTFILESIZE=0%' OR "CommandLine" ILIKE '%HISTSIZE=0%' THEN 'History Size Zeroed'
    WHEN "CommandLine" ILIKE '%HISTCONTROL%' THEN 'HISTCONTROL Modified'
    WHEN "CommandLine" ILIKE '%history -c%' THEN 'History Cleared'
    WHEN "CommandLine" ILIKE '%set +o history%' THEN 'History Disabled'
    WHEN "CommandLine" ILIKE '%SaveNothing%' OR "CommandLine" ILIKE '%HistorySavePath%' THEN 'PSReadLine Tampered'
    WHEN "CommandLine" ILIKE '%ConsoleHost_history%' THEN 'PS History File Deleted'
    WHEN "CommandLine" ILIKE '%bash_history%' AND ("CommandLine" ILIKE '%rm %' OR "CommandLine" ILIKE '%truncate%' OR "CommandLine" ILIKE '%ln -sf%') THEN 'History File Deleted'
    ELSE 'Other'
  END AS tamper_method,
  CASE
    WHEN LOGSOURCETYPEID(logsourceid) = 12 THEN 'Windows'
    WHEN LOGSOURCETYPEID(logsourceid) IN (71, 233, 352) THEN 'Linux/macOS'
    ELSE 'Unknown'
  END AS platform
FROM events
WHERE
  starttime > NOW() - 1 DAYS
  AND (
    "CommandLine" ILIKE '%unset HISTFILE%'
    OR "CommandLine" ILIKE '%HISTFILE=/dev/null%'
    OR "CommandLine" ILIKE '%HISTFILESIZE=0%'
    OR "CommandLine" ILIKE '%HISTSIZE=0%'
    OR "CommandLine" ILIKE '%HISTCONTROL=ignoreboth%'
    OR "CommandLine" ILIKE '%HISTCONTROL=ignorespace%'
    OR "CommandLine" ILIKE '%set +o history%'
    OR "CommandLine" ILIKE '%history -c%'
    OR "CommandLine" ILIKE '%history -w /dev/null%'
    OR "CommandLine" ILIKE '%Set-PSReadlineOption%SaveNothing%'
    OR "CommandLine" ILIKE '%Set-PSReadLineOption%HistorySavePath%'
    OR "CommandLine" ILIKE '%Remove-Item%ConsoleHost_history%'
    OR "CommandLine" ILIKE '%del%ConsoleHost_history%'
    OR ("CommandLine" ILIKE '%bash_history%'
        AND ("CommandLine" ILIKE '%rm -%' OR "CommandLine" ILIKE '%truncate -s 0%' OR "CommandLine" ILIKE '%ln -sf /dev/null%'))
  )
ORDER BY starttime DESC
medium severity medium confidence

Detects command history tampering across Linux/macOS and Windows endpoints ingested into QRadar. Queries process execution logs for shell environment variable manipulation, history file deletion, and PSReadLine configuration changes that prevent command logging. Uses CommandLine field populated by Sysmon, auditd, or EDR integrations.

Data Sources

Sysmon for Windows (via WinCollect or DSM)Linux auditd via QRadar DSMCrowdStrike Falcon via QRadar appCarbon Black via QRadar DSM

Required Tables

events

False Positives & Tuning

  • Automated infrastructure-as-code tools (Ansible, Chef, Puppet) that set HISTCONTROL=ignorespace to avoid recording plaintext credentials passed as command arguments during provisioning
  • Docker container initialization scripts that clear or redirect bash history as part of image build or ephemeral container startup to reduce attack surface
  • Security teams running STIG compliance enforcement scripts that modify history settings as part of baseline hardening on managed Linux hosts
Download portable Sigma rule (.yml)

Other platforms for T1562.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Disable Bash History via HISTFILE

    Expected signal: Auditd execve record for the shell session showing 'unset HISTFILE'. Process creation event in MDE. No bash_history entries will be written for subsequent commands.

  2. Test 2Redirect History to /dev/null (BPFDoor Pattern)

    Expected signal: Auditd execve record. The process /proc/<PID>/environ will show HISTFILE=/dev/null.

  3. Test 3Disable PSReadLine History on Windows

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Set-PSReadlineOption'. PowerShell ScriptBlock Log Event ID 4104.

Last updated: 2026-04-21 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1562.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1070.003Clear Command HistoryT1562.002Disable Windows Event LoggingT1562.012Disable or Modify Linux Audit SystemT1059.004Unix ShellT1059.001PowerShell

Same Tactic: Defense Evasion

Popular Detections