Try it using Invoke-Atomic

Impair Defenses: Impair Command History Logging

Description from ATT&CK

Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.

On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.

Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.

On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)

Adversaries may also leverage a Network Device CLI on network devices to disable historical command logging (e.g. no logging).

Atomic Tests

Atomic Test #1 - Disable history collection

Disables history collection in shells

Supported Platforms: linux,macos

auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5

Inputs:

Name Description Type Default Value
evil_command Command to run after shell history collection is disabled string whoami

Attack Commands: Run with sh!

1
2

export HISTCONTROL=ignoreboth
#{evil_command}

Atomic Test #2 - Disable history collection (freebsd)

Disables history collection in shells

Supported Platforms: linux

auto_generated_guid: cada55b4-8251-4c60-819e-8ec1b33c9306

Inputs:

Name Description Type Default Value
evil_command Command to run after shell history collection is disabled string whoami

Attack Commands: Run with sh!

1
2

export HISTSIZE=0
#{evil_command}

Atomic Test #3 - Mac HISTCONTROL

The HISTCONTROL variable is set to ignore (not write to the history file) command that are a duplicate of something already in the history and commands that start with a space. This atomic sets this variable in the current session and also writes it to the current user's ~/.bash_profile so that it will apply to all future settings as well. https://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcontrol

Supported Platforms: macos,linux

auto_generated_guid: 468566d5-83e5-40c1-b338-511e1659628d

Inputs:

None

Run it with these steps!

  1. export HISTCONTROL=ignoreboth
  2. echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile
  3. ls
  4. whoami > recon.txt
1




Atomic Test #4 - Clear bash history


An attacker may clear the bash history cache and the history file as their last act before logging off to remove the record of their command line activities.



In this test we use the $HISTFILE variable throughout to 1. confirms the $HISTFILE variable is set 2. echo "" into it 3..5 confirm the file is empty 6 clear the history cache 7. confirm the history cache is empty. This is when the attacker would logoff.



Supported Platforms: linux



auto_generated_guid: 878794f7-c511-4199-a950-8c28b3ed8e5b



Inputs:



None



Attack Commands: Run with bash!



1
2
3
4
5
6
7
8

cp $HISTFILE $HISTFILE.OLD
if ((${#HISTFILE[@]})); then echo $HISTFILE; fi
echo "" > $HISTFILE
if [ $(wc -c <$HISTFILE) -gt 1 ]; then echo "$HISTFILE is larger than 1k"; fi
ls -la $HISTFILE 
cat $HISTFILE
history -c 
if [ $(history |wc -l) -eq 1 ]; then echo "History cache cleared"; fi




Cleanup Commands:



1

mv -f $HISTFILE.OLD $HISTFILE




Atomic Test #5 - Setting the HISTCONTROL environment variable


An attacker may exploit the space before a command (e.g. " ls") or the duplicate command suppression feature in Bash history to prevent their commands from being recorded in the history file or to obscure the order of commands used.



In this test we 1. sets $HISTCONTROL to ignoreboth 2. clears the history cache 3. executes ls -la with a space in-front of it 4. confirms that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups 6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms that their is only one command in history



Supported Platforms: linux



auto_generated_guid: 10ab786a-028e-4465-96f6-9e83ca6c5f24



Inputs:



None



Attack Commands: Run with bash!



1
2
3
4
5
6
7
8
9
10
11
12

TEST=$(echo $HISTCONTROL)
if [ "$HISTCONTROL" != "ignoreboth" ]; then export HISTCONTROL="ignoreboth"; fi
history -c 
ls -la $HISTFILE # " ls -la $HISTFILE"
if [ $(history |wc -l) -eq 1 ]; then echo "ls -la is not in history cache"; fi
# -> ls -la is not in history cache
if [ "$HISTCONTROL" != "erasedups" ]; then export HISTCONTROL="erasedups"; fi
history -c 
ls -la $HISTFILE
ls -la $HISTFILE
ls -la $HISTFILE
if [ $(history |wc -l) -eq 2 ]; then echo "Their is only one entry for ls -la $HISTFILE"; fi




Cleanup Commands:



1

export HISTCONTROL=$(echo $TEST)




Atomic Test #6 - Setting the HISTFILESIZE environment variable


An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.



Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.



Supported Platforms: linux



auto_generated_guid: 5cafd6c1-2f43-46eb-ac47-a5301ba0a618



Inputs:



None



Attack Commands: Run with bash!



1
2
3
4
5

TEST=$(echo $HISTFILESIZE)
echo $HISTFILESIZE
export HISTFILESIZE=0
if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; fi
# -> $HISTFILESIZE is zero




Cleanup Commands:



1

export HISTCONTROL=$(echo $TEST)




Atomic Test #7 - Setting the HISTSIZE environment variable


An Adversary may set the sh history files size environment variable (HISTSIZE) to zero to prevent the logging of commands to the history file after they log out of the system.



Note: we don't wish to log out, so we are just confirming the value of HISTSIZE. In this test we 1. echo HISTSIZE 2. set it to zero 3. confirm that HISTSIZE is set to zero.



Supported Platforms: linux



auto_generated_guid: 386d3850-2ce7-4508-b56b-c0558922c814



Inputs:



None



Attack Commands: Run with sh!



1
2
3
4

echo $HISTSIZE
export HISTSIZE=0
if [ $(echo $HISTSIZE) -eq 0 ]; then echo "\$HISTSIZE is zero"; fi
# -> $HISTSIZE is zero




Cleanup Commands:



1

export HISTSIZE=100




Atomic Test #8 - Setting the HISTFILE environment variable


An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.



Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.



Supported Platforms: linux



auto_generated_guid: b3dacb6c-a9e3-44ec-bf87-38db60c5cad1



Inputs:



None



Attack Commands: Run with bash!



1
2
3
4
5

TEST=$(echo $HISTFILE)
echo $HISTFILE
export HISTFILE="/dev/null"
if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
# -> $HISTFILE is /dev/null




Cleanup Commands:



1

export HISTFILE=$(echo $TEST)




Atomic Test #9 - Setting the HISTFILE environment variable (freebsd)


An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.



Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.



Supported Platforms: linux



auto_generated_guid: f7308845-6da8-468e-99f2-4271f2f5bb67



Inputs:



None



Attack Commands: Run with sh!



1
2
3
4

echo $HISTFILE
export HISTFILE="/dev/null"
if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
# -> $HISTFILE is /dev/null




Cleanup Commands:



1

export HISTFILE=~/.sh_history




Atomic Test #10 - Setting the HISTIGNORE environment variable


An Adversary may take advantage of the HISTIGNORE environment variable either to ignore particular commands or all commands.



In this test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this history cache 3..4 execute ls commands 5. confirm that the ls commands are not in the history cache 6. unset HISTIGNORE variable 7.. same again, but ignoring ALL commands.



Supported Platforms: linux



auto_generated_guid: f12acddb-7502-4ce6-a146-5b62c59592f1



Inputs:



None



Attack Commands: Run with bash!



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='ls*:rm*:ssh*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
# -> $HISTIGNORE = ls*:rm*:ssh*
history -c 
ls -la $HISTFILE
ls -la ~/.bash_logout
if [ $(history |wc -l) -eq 1 ]; then echo "ls commands are not in history"; fi
# -> ls commands are not in history
unset HISTIGNORE

if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
# -> $HISTIGNORE = *
history -c 
whoami
groups
if [ $(history |wc -l) -eq 0 ]; then echo "History cache is empty"; fi
# -> History cache is empty




Cleanup Commands:



1

unset HISTIGNORE




Atomic Test #11 - Disable Windows Command Line Auditing using reg.exe


In Windows operating systems, command line auditing is controlled through the following registry value:



Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit



Registry Value: ProcessCreationIncludeCmdLine_Enabled



When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.



Because this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both:
  Process Creation events for reg.exe (Windows Event ID 4688, Sysmon Event ID 1)
  Registry events (Windows Event ID 4657, Sysmon Event ID 13)



Read more here:
https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html



Supported Platforms: windows



auto_generated_guid: 1329d5ab-e10e-4e5e-93d1-4d907eb656e5



Inputs:



None



Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)



1

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f




Cleanup Commands:



1

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f




Atomic Test #12 - Disable Windows Command Line Auditing using Powershell Cmdlet


In Windows operating systems, command line auditing is controlled through the following registry value:



Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit



Registry Value: ProcessCreationIncludeCmdLine_Enabled



When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.



Because this attack runs a Powershell cmdlet, this attack can be detected by monitoring both:
  Powershell Logging (Windows Powershell Event ID 400, 800, 4103, 4104)
  Registry events (Windows Event ID 4657, Sysmon Event ID 13)



Read more here:
https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key



Supported Platforms: windows



auto_generated_guid: 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa



Inputs:



None



Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)



1

New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore




Cleanup Commands:



1

New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force -ErrorAction Ignore




source