Detect Impair Command History Logging in Sumo Logic CSE
Adversaries may impair command history logging to hide commands they run on a compromised system. On Linux and macOS, this involves manipulating HISTFILE, HISTFILESIZE, HISTSIZE, and HISTCONTROL environment variables, or redirecting history to /dev/null. On Windows, adversaries may modify PSReadLine settings to disable PowerShell command history. On network devices, adversaries may disable command logging entirely.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.003 Impair Command History Logging
- Canonical reference
- https://attack.mitre.org/techniques/T1562/003/
Sumo Detection Query
(_sourceCategory=*linux* OR _sourceCategory=*syslog* OR _sourceCategory=*audit* OR _sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where (
(%"CommandLine" matches "*unset HISTFILE*"
OR %"CommandLine" matches "*HISTFILE=/dev/null*"
OR %"CommandLine" matches "*HISTFILESIZE=0*"
OR %"CommandLine" matches "*HISTSIZE=0*"
OR %"CommandLine" matches "*HISTCONTROL=ignoreboth*"
OR %"CommandLine" matches "*HISTCONTROL=ignorespace*"
OR %"CommandLine" matches "*set +o history*"
OR %"CommandLine" matches "*history -c*"
OR %"CommandLine" matches "*history -w /dev/null*"
OR %"CommandLine" matches "*Set-PSReadlineOption*SaveNothing*"
OR %"CommandLine" matches "*Set-PSReadLineOption*HistorySavePath*"
OR %"CommandLine" matches "*Remove-Item*ConsoleHost_history*"
OR %"CommandLine" matches "*del*ConsoleHost_history*")
OR (
(%"CommandLine" matches "*rm *" OR %"CommandLine" matches "*truncate*" OR %"CommandLine" matches "*ln -sf*")
AND (%"CommandLine" matches "*bash_history*" OR %"CommandLine" matches "*zsh_history*" OR %"CommandLine" matches "*fish_history*")
)
)
| if (_sourceCategory matches "*linux*" OR _sourceCategory matches "*syslog*" OR _sourceCategory matches "*audit*", "Linux/macOS",
if (_sourceCategory matches "*windows*" OR _sourceCategory matches "*sysmon*", "Windows", "Unknown")) as platform
| if (%"CommandLine" matches "*unset HISTFILE*" OR %"CommandLine" matches "*HISTFILE=/dev/null*", "HISTFILE Disabled",
if (%"CommandLine" matches "*HISTFILESIZE=0*" OR %"CommandLine" matches "*HISTSIZE=0*", "History Size Zeroed",
if (%"CommandLine" matches "*HISTCONTROL*", "HISTCONTROL Modified",
if (%"CommandLine" matches "*history -c*", "History Cleared",
if (%"CommandLine" matches "*set +o history*", "History Disabled",
if (%"CommandLine" matches "*SaveNothing*" OR %"CommandLine" matches "*HistorySavePath*", "PSReadLine Tampered",
if (%"CommandLine" matches "*ConsoleHost_history*", "PS History File Deleted",
if (%"CommandLine" matches "*bash_history*", "History File Manipulated", "Other")))))))) as tamper_method
| fields _messageTime, %host, %user, platform, tamper_method, %"CommandLine"
| sort by _messageTime descDetects shell history tampering and PSReadLine configuration abuse across Linux/macOS and Windows hosts. Searches for process command lines containing known history-suppression patterns, including HISTFILE manipulation, history file deletion, redirection to /dev/null, and PowerShell ConsoleHost history file removal or PSReadLine reconfiguration.
Data Sources
Required Tables
False Positives & Tuning
- DevOps pipeline agents (Jenkins, GitLab runners, GitHub Actions self-hosted) that disable history recording in their shell wrapper scripts to prevent leaking tokens or credentials into persistent log files
- System administrators using set +o history interactively when manually entering passwords or API keys during maintenance windows, then re-enabling with set -o history
- Containerized workloads with entrypoint scripts that explicitly unset HISTFILE to reduce artifact footprint in ephemeral environments where persistence is undesirable
Other platforms for T1562.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Disable Bash History via HISTFILE
Expected signal: Auditd execve record for the shell session showing 'unset HISTFILE'. Process creation event in MDE. No bash_history entries will be written for subsequent commands.
- Test 2Redirect History to /dev/null (BPFDoor Pattern)
Expected signal: Auditd execve record. The process /proc/<PID>/environ will show HISTFILE=/dev/null.
- Test 3Disable PSReadLine History on Windows
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Set-PSReadlineOption'. PowerShell ScriptBlock Log Event ID 4104.
References (5)
- https://attack.mitre.org/techniques/T1562/003/
- https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
- https://www.cisa.gov/sites/default/files/publications/AA20-239A_Joint_Advisory.pdf
- https://learn.microsoft.com/en-us/powershell/module/psreadline/set-psreadlineoption
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md
Unlock Pro Content
Get the full detection package for T1562.003 including response playbook, investigation guide, and atomic red team tests.