- Home
- Techniques
- Enterprise
- Indicator Removal on Host
- Clear Command History
Indicator Removal on Host: Clear Command History
Other sub-techniques of Indicator Removal on Host (6)
ID | Name |
---|---|
T1070.001 | Clear Windows Event Logs |
T1070.002 | Clear Linux or Mac System Logs |
T1070.003 | Clear Command History |
T1070.004 | File Deletion |
T1070.005 | Network Share Connection Removal |
T1070.006 | Timestomp |
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done.
These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE
. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history
. The benefit of this is that it allows users to go back to commands they've used before in different sessions.
Adversaries can use a variety of methods to prevent their own commands from appear in these logs, such as clearing the history environment variable (unset HISTFILE
), setting the command history size to zero (export HISTFILESIZE=0
), manually clearing the history (history -c
), or deleting the bash history file rm ~/.bash_history
.
Procedure Examples
Name | Description |
---|---|
APT41 |
APT41 attempted to remove evidence of some of its activity by deleting Bash histories.[2] |
Mitigations
Mitigation | Description |
---|---|
Environment Variable Permissions |
Making the associated environment variables read only can make sure that the history is preserved.[1] |
Restrict File and Directory Permissions |
Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their |
Detection
User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history
is suspicious. Additionally, the modification of the HISTFILE
and HISTFILESIZE
environment variables or the removal/clearing of the ~/.bash_history
file are indicators of suspicious activity.