title: Impair Command History Logging (T1562.003)
id: df00tech-t1562-003
status: experimental
description: "Adversaries may impair command history logging to hide commands they run on a compromised system. On Linux and macOS, this involves manipulating HISTFILE, HISTFILESIZE, HISTSIZE, and HISTCONTROL environment variables, or redirecting history to /dev/null. On Windows, adversaries may modify PSReadLine settings to disable PowerShell command history. On network devices, adversaries may disable command logging entirely."
references:
  - https://attack.mitre.org/techniques/T1562/003/
  - https://df00tech.com/detections/T1562.003
author: df00tech
date: 2026/04/21
tags:
  - attack.t1562.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Developers or sysadmins who habitually set HISTCONTROL=ignorespace for convenience when typing sensitive commands (e.g., inline passwords)"
  - Automated provisioning or hardening scripts that configure shell history settings as part of baseline configuration
  - Docker container entrypoint scripts that disable history logging in ephemeral environments
level: medium