In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variableHISTFILE
. When a user logs off a system, this information is flushed to a file in the user's home directory called~/.bash_history
. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Adversaries may delete their commands from these logs by manually clearing the history (history -c
) or deleting the bash history filerm ~/.bash_history
. Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to clear command history data (clear logging
and/orclear history
).(Citation: US-CERT-TA18-106A) On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by thePSReadLine
module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends. ThePSReadLine
command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History) Adversaries may run the PowerShell commandClear-History
to flush the entire command history from a current PowerShell session. This, however, will not delete/flush theConsoleHost_history.txt
file. Adversaries may also delete theConsoleHost_history.txt
file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)
Atomic Test #8 - Use Space Before Command to Avoid Logging to History
Atomic Test #12 - Clear Powershell History by Deleting History File
Atomic Test #13 - Set Custom AddToHistoryHandler to Avoid History File Logging
Clears bash history via rm
Supported Platforms: Linux, macOS
auto_generated_guid: a934276e-2be5-4a36-93fd-98adbb5bd4fc
| Name | Description | Type | Default Value | |——|————-|——|—————| | history_path | Bash history path | path | ~/.bash_history|
1
sh
!1
rm #{history_path}
Clears bash history via echo
Supported Platforms: Linux
auto_generated_guid: cbf506a5-dd78-43e5-be7e-a46b7c7a0a11
| Name | Description | Type | Default Value | |——|————-|——|—————| | history_path | Bash history path | path | ~/.bash_history|
1
sh
!1
echo "" > #{history_path}
Clears bash history via cat /dev/null
Supported Platforms: Linux, macOS
auto_generated_guid: b1251c35-dcd3-4ea1-86da-36d27b54f31f
| Name | Description | Type | Default Value | |——|————-|——|—————| | history_path | Bash history path | path | ~/.bash_history|
1
sh
!1
cat /dev/null > #{history_path}
Clears bash history via a symlink to /dev/null
Supported Platforms: Linux, macOS
auto_generated_guid: 23d348f3-cc5c-4ba9-bd0a-ae09069f0914
| Name | Description | Type | Default Value | |——|————-|——|—————| | history_path | Bash history path | path | ~/.bash_history|
1
sh
!1
ln -sf /dev/null #{history_path}
Clears bash history via truncate
Supported Platforms: Linux
auto_generated_guid: 47966a1d-df4f-4078-af65-db6d9aa20739
| Name | Description | Type | Default Value | |——|————-|——|—————| | history_path | Bash history path | path | ~/.bash_history|
1
sh
!1
truncate -s0 #{history_path}
Clears the history of a bunch of different shell types by setting the history size to zero
Supported Platforms: Linux, macOS
auto_generated_guid: 7e6721df-5f08-4370-9255-f06d8a77af4c
1
sh
!1
2
3
unset HISTFILE
export HISTFILESIZE=0
history -c
Clears the history and disable bash history logging of the current shell and future shell sessions
Supported Platforms: Linux, macOS
auto_generated_guid: 784e4011-bd1a-4ecd-a63a-8feb278512e6
1
sh
!1
2
3
4
set +o history
echo 'set +o history' >> ~/.bashrc
. ~/.bashrc
history -c
1
2
3
sed -i 's/set +o history//g' ~/.bashrc
. ~/.bashrc
set -o history
Using a space before a command causes the command to not be logged in the Bash History file
Supported Platforms: Linux, macOS
auto_generated_guid: 53b03a54-4529-4992-852d-a00b4b7215a6
1
sh
!1
2
hostname
whoami
Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog
Supported Platforms: Linux
auto_generated_guid: 5f8abd62-f615-43c5-b6be-f780f25790a1
1
sh
!1
sshpass -p 'pwd101!' ssh testuser1@localhost -T hostname
1
[ "$(uname)" = 'FreeBSD' ] && rmuser -y testuser1 || userdel -f testuser1
1
sh
!1
$(getent passwd testuser1 >/dev/null) && $(which sshpass >/dev/null)
1
2
3
[ "$(uname)" = 'FreeBSD' ] && pw useradd testuser1 -g wheel -s /bin/sh || /usr/sbin/useradd testuser1
[ "$(uname)" = 'FreeBSD' ] && echo 'pwd101!' | pw mod user testuser1 -h 0 || echo -e 'pwd101!\npwd101!' | passwd testuser1
(which yum && yum -y install epel-release sshpass)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y sshpass)||(which pkg && pkg install -y sshpass)
Clears Docker container logs using the Docker CLI and the truncate command, removing all log entries.
Supported Platforms: Linux
auto_generated_guid: 553b39f9-1e8c-47b1-abf5-8daf7b0391e9
1
bash
! Elevation Required (e.g. root or admin)1
docker container prune -f && sudo truncate -s 0 /var/lib/docker/containers/*/*-json.log
Prevents Powershell history
Supported Platforms: Windows
auto_generated_guid: 2f898b81-3e97-4abb-bc3f-a95138988370
1
powershell
!1
Set-PSReadlineOption -HistorySaveStyle SaveNothing
1
Set-PSReadLineOption -HistorySaveStyle SaveIncrementally
Clears Powershell history
Supported Platforms: Windows
auto_generated_guid: da75ae8d-26d6-4483-b0fe-700e4df4f037
1
powershell
!1
Remove-Item (Get-PSReadlineOption).HistorySavePath
The “AddToHistoryHandler” receives the current command as the $line variable and then returns $true if the line should be written to the history file. Here we simply return $false so nothing gets added to the history file for the current session.
Supported Platforms: Windows
auto_generated_guid: 1d0d9aa6-6111-4f89-927b-53e8afae7f94
1
powershell
!1
Set-PSReadLineOption -AddToHistoryHandler { return $false }
1
Set-PSReadLineOption -AddToHistoryHandler $null