title: Clear Command History (T1070.003)
id: df00tech-t1070-003
status: experimental
description: "Adversaries clear command history to conceal actions taken during an intrusion. On Windows, PowerShell maintains two history stores: the in-session history (cleared by Clear-History) and the PSReadLine history file at %APPDATA%\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt. Attackers may delete or truncate this file or use Remove-Item (Get-PSReadlineOption).HistorySavePath — the method used by Medusa Group ransomware. On Linux/macOS, history -c clears the in-memory history, HISTFILE= unsets the history file, and rm ~/.bash_history deletes the persistent record. Setting HISTSIZE=0 or HISTFILESIZE=0 prevents future history recording. TeamTNT, Aquatic Panda, APT41, Kobalos, and APT5 (ESXi) have all been observed clearing command history as post-exploitation cleanup."
references:
  - https://attack.mitre.org/techniques/T1070/003/
  - https://df00tech.com/detections/T1070.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1070.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Administrators running Clear-History during interactive PowerShell sessions for legitimate housekeeping
  - Shell profile scripts that set HISTSIZE=0 for service accounts that should not record history
  - Backup or rotation scripts that delete and recreate .bash_history files
  - Security tools that sanitize history files after removing credentials accidentally typed at the command line
level: medium