T1562.003 Microsoft Sentinel · KQL

Detect Impair Command History Logging in Microsoft Sentinel

Adversaries may impair command history logging to hide commands they run on a compromised system. On Linux and macOS, this involves manipulating HISTFILE, HISTFILESIZE, HISTSIZE, and HISTCONTROL environment variables, or redirecting history to /dev/null. On Windows, adversaries may modify PSReadLine settings to disable PowerShell command history. On network devices, adversaries may disable command logging entirely.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.003 Impair Command History Logging
Canonical reference
https://attack.mitre.org/techniques/T1562/003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let HistoryTampering = dynamic(["unset HISTFILE", "export HISTFILE=/dev/null", "export HISTFILESIZE=0", "export HISTSIZE=0", "HISTCONTROL=ignoreboth", "HISTCONTROL=ignorespace", "set +o history", "history -c", "history -w /dev/null", "rm -f ~/.bash_history", "truncate -s 0", "ln -sf /dev/null", "Set-PSReadlineOption -HistorySaveStyle SaveNothing", "Set-PSReadLineOption -HistorySavePath", "Remove-Item*ConsoleHost_history.txt", "del*ConsoleHost_history.txt"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (HistoryTampering)
| extend Platform = case(
    ProcessCommandLine has_any ("PSReadline", "ConsoleHost_history"), "Windows",
    ProcessCommandLine has_any ("HISTFILE", "bash_history", "history -c", "set +o history"), "Linux/macOS",
    "Unknown")
| extend TamperMethod = case(
    ProcessCommandLine has "unset HISTFILE" or ProcessCommandLine has "HISTFILE=/dev/null", "HISTFILE Disabled",
    ProcessCommandLine has "HISTFILESIZE=0" or ProcessCommandLine has "HISTSIZE=0", "History Size Zeroed",
    ProcessCommandLine has "HISTCONTROL", "HISTCONTROL Modified",
    ProcessCommandLine has "history -c", "History Cleared",
    ProcessCommandLine has "set +o history", "History Disabled",
    ProcessCommandLine has "rm" or ProcessCommandLine has "truncate" or ProcessCommandLine has "ln -sf /dev/null", "History File Deleted/Redirected",
    ProcessCommandLine has "SaveNothing", "PSReadLine Disabled",
    ProcessCommandLine has "HistorySavePath", "PSReadLine Redirected",
    ProcessCommandLine has "ConsoleHost_history", "PS History File Deleted",
    "Other")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, Platform, TamperMethod, InitiatingProcessFileName
| sort by Timestamp desc
medium severity medium confidence

Detects command history tampering on both Linux/macOS (HISTFILE, HISTCONTROL, bash_history manipulation) and Windows (PSReadLine settings, ConsoleHost_history.txt deletion). Uses MDE DeviceProcessEvents to monitor process command lines for history impairment patterns.

Data Sources

Process: Process CreationCommand: Command ExecutionSensor Health: Host Status

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Developers or sysadmins who habitually set HISTCONTROL=ignorespace for convenience when typing sensitive commands (e.g., inline passwords)
  • Automated provisioning or hardening scripts that configure shell history settings as part of baseline configuration
  • Docker container entrypoint scripts that disable history logging in ephemeral environments
Download portable Sigma rule (.yml)

Other platforms for T1562.003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Disable Bash History via HISTFILE

    Expected signal: Auditd execve record for the shell session showing 'unset HISTFILE'. Process creation event in MDE. No bash_history entries will be written for subsequent commands.

  2. Test 2Redirect History to /dev/null (BPFDoor Pattern)

    Expected signal: Auditd execve record. The process /proc/<PID>/environ will show HISTFILE=/dev/null.

  3. Test 3Disable PSReadLine History on Windows

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Set-PSReadlineOption'. PowerShell ScriptBlock Log Event ID 4104.

Last updated: 2026-04-21 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1562.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1070.003Clear Command HistoryT1562.002Disable Windows Event LoggingT1562.012Disable or Modify Linux Audit SystemT1059.004Unix ShellT1059.001PowerShell

Same Tactic: Defense Evasion

Popular Detections