Detect Impair Command History Logging in Splunk
Adversaries may impair command history logging to hide commands they run on a compromised system. On Linux and macOS, this involves manipulating HISTFILE, HISTFILESIZE, HISTSIZE, and HISTCONTROL environment variables, or redirecting history to /dev/null. On Windows, adversaries may modify PSReadLine settings to disable PowerShell command history. On network devices, adversaries may disable command logging entirely.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.003 Impair Command History Logging
- Canonical reference
- https://attack.mitre.org/techniques/T1562/003/
SPL Detection Query
(index=linux sourcetype=syslog OR sourcetype=audit
("unset HISTFILE" OR "HISTFILE=/dev/null" OR "HISTFILESIZE=0" OR "HISTSIZE=0" OR "HISTCONTROL=ignoreboth" OR "HISTCONTROL=ignorespace" OR "set +o history" OR "history -c" OR "rm -f ~/.bash_history" OR "rm ~/.bash_history" OR "ln -sf /dev/null" OR "MYSQL_HISTFILE"))
OR
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(CommandLine="*Set-PSReadlineOption*SaveNothing*" OR CommandLine="*Set-PSReadLineOption*HistorySavePath*" OR CommandLine="*Remove-Item*ConsoleHost_history*" OR CommandLine="*del*ConsoleHost_history*"))
| eval Platform=case(
sourcetype=="syslog" OR sourcetype=="audit", "Linux/macOS",
match(sourcetype, "Sysmon"), "Windows",
true(), "Unknown")
| eval TamperMethod=case(
match(_raw, "(?i)unset HISTFILE|HISTFILE=/dev/null"), "HISTFILE Disabled",
match(_raw, "(?i)HISTFILESIZE=0|HISTSIZE=0"), "History Size Zeroed",
match(_raw, "(?i)HISTCONTROL"), "HISTCONTROL Modified",
match(_raw, "(?i)history -c"), "History Cleared",
match(_raw, "(?i)set \+o history"), "History Disabled",
match(_raw, "(?i)SaveNothing"), "PSReadLine Disabled",
match(_raw, "(?i)HistorySavePath"), "PSReadLine Redirected",
true(), "Other")
| table _time, host, User, Platform, TamperMethod, _raw
| sort - _timeCross-platform detection for command history tampering. Monitors Linux syslog/auditd for HISTFILE and bash_history manipulation, and Windows Sysmon for PSReadLine configuration changes. Categorizes the tampering method for triage prioritization.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Developers or sysadmins who habitually set HISTCONTROL=ignorespace for convenience when typing sensitive commands
- Automated provisioning or hardening scripts that configure shell history settings as part of baseline configuration
- Docker container entrypoint scripts that disable history logging in ephemeral environments
Other platforms for T1562.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Disable Bash History via HISTFILE
Expected signal: Auditd execve record for the shell session showing 'unset HISTFILE'. Process creation event in MDE. No bash_history entries will be written for subsequent commands.
- Test 2Redirect History to /dev/null (BPFDoor Pattern)
Expected signal: Auditd execve record. The process /proc/<PID>/environ will show HISTFILE=/dev/null.
- Test 3Disable PSReadLine History on Windows
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Set-PSReadlineOption'. PowerShell ScriptBlock Log Event ID 4104.
References (5)
- https://attack.mitre.org/techniques/T1562/003/
- https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
- https://www.cisa.gov/sites/default/files/publications/AA20-239A_Joint_Advisory.pdf
- https://learn.microsoft.com/en-us/powershell/module/psreadline/set-psreadlineoption
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md
Unlock Pro Content
Get the full detection package for T1562.003 including response playbook, investigation guide, and atomic red team tests.