Detects adversary behavior clearing command history via history -c, deletion or modification of ~/.bash_history, or manipulation of the HISTFILE environment variable post-login.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| File Deletion (DC0040) | auditd:SYSCALL | PATH |
| Field | Description |
|---|---|
| TimeWindow | Detect shell history clearing shortly after login or command execution. |
| UserContext | Elevated shell sessions (e.g., root or sudo) without command history may be more suspicious. |
| HistoryFilePath | Bash/Zsh history file paths (e.g., ~/.bash_history, ~/.zsh_history). |
Detects adversary clearing shell history using history -c or deleting/altering ~/.zsh_history or ~/.bash_history. Focus on sessions with missing or wiped history.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process |
| File Modification (DC0061) | fs:fsusage | unlink, write |
| Field | Description |
|---|---|
| TimeWindow | Duration after terminal usage where deletion or modification is considered suspicious. |
| UserContext | Flag unexpected user activity, especially from users who normally don’t use terminal. |
| HistoryFilePath | Zsh or Bash history files under the user's home directory. |
Detects PowerShell Clear-History invocation or deletion of ConsoleHost_history.txt to erase past PowerShell session history.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| File Deletion (DC0040) | WinEventLog:Sysmon | EventCode=23 |
| File Modification (DC0061) | WinEventLog:Security | EventCode=4663 |
| Field | Description |
|---|---|
| HistoryFilePath | Path to PSReadLine file, typically in APPDATA. |
| UserContext | User account or role performing deletion (e.g., low-priv user deleting history). |
| CommandPattern | Support detection of `Clear-History` and variations. |
Detects modification or truncation of /var/log/shell.log used to persist ESXi shell command history. Especially suspicious shortly after login or config changes.
| Data Component | Name | Channel |
|---|---|---|
| File Deletion (DC0040) | esxi:shell | /var/log/shell.log |
| Field | Description |
|---|---|
| LogFilePath | Path to shell command history on ESXi. |
| TimeWindow | Time range post-login or privileged escalation. |
Detects use of clear history or clear logging commands on network device CLI to remove past activity logs.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | networkdevice:syslog | CLI command audit |
| Field | Description |
|---|---|
| CommandPattern | Support detection of known variants: 'clear history', 'clear logging', etc. |
| DeviceType | Router, switch, firewall—may have different CLI behaviors. |