1. Home
  2. Techniques
  3. Enterprise
  4. Indicator Removal
  5. Clear Command History

Indicator Removal: Clear Command History

ID Name
T1070.001 Clear Windows Event Logs
T1070.002 Clear Linux or Mac System Logs
T1070.003 Clear Command History
T1070.004 File Deletion
T1070.005 Network Share Connection Removal
T1070.006 Timestomp
T1070.007 Clear Network Connection History and Configurations
T1070.008 Clear Mailbox Data
T1070.009 Clear Persistence
T1070.010 Relocate Malware

In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.

On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.

Adversaries may also leverage a Network Device CLI on network devices to clear command history data (clear logging and/or clear history).[1] On ESXi servers, command history may be manually removed from the /var/log/shell.log file.[2]

On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.

The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.[3]

Adversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.[4][5]

ID: T1070.003
Sub-technique of:  T1070
Tactic: Defense Evasion
Platforms: ESXi, Linux, Network Devices, Windows, macOS
Contributors: Austin Clark, @c2defense; Emile Kenning, Sophos; Vikas Singh, Sophos
Version: 1.6
Created: 31 January 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0096 APT41

APT41 attempted to remove evidence of some of its activity by deleting Bash histories.[6]
G1023 APT5

APT5 has cleared the command history on targeted ESXi servers.[7]
G0143 Aquatic Panda

Aquatic Panda cleared command history in Linux environments to remove traces of activity after operations.[8]
S0601 Hildegard

Hildegard has used history -c to clear script shell logs.[9]
S1203 J-magic

J-magic can overwrite previously executed command line arguments.[10]
S0641 Kobalos

Kobalos can remove all command history on compromised hosts.[11]

G0032 Lazarus Group

Lazarus Group has routinely deleted log files on a compromised router, including automatic log deletion through the use of the logrotate utility.[12]

G0059 Magic Hound

Magic Hound has removed mailbox export requests from compromised Exchange servers.[13]
G1051 Medusa Group

Medusa Group has cleared command history by running the PowerShell command Remove-Item (Get-PSReadlineOption).HistorySavePath.[14]
G0045 menuPass

menuPass has used Wevtutil to remove PowerShell execution logs.[15]
G0139 TeamTNT

TeamTNT has cleared command history with history -c.[16][17]

Mitigations

ID Mitigation Description
M1039 Environment Variable Permissions

Making the environment variables associated with command history read only may ensure that the history is preserved.[18]
M1029 Remote Data Storage

Forward logging of historical data to remote data store and centralized logging solution to preserve historical command line log data.
M1022 Restrict File and Directory Permissions

Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their ~/.bash_history or ConsoleHost_history.txt files.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0165 Behavioral Detection of Command History Clearing AN0467

Detects adversary behavior clearing command history via history -c, deletion or modification of ~/.bash_history, or manipulation of the HISTFILE environment variable post-login.
AN0468

Detects adversary clearing shell history using history -c or deleting/altering ~/.zsh_history or ~/.bash_history. Focus on sessions with missing or wiped history.
AN0469

Detects PowerShell Clear-History invocation or deletion of ConsoleHost_history.txt to erase past PowerShell session history.
AN0470

Detects modification or truncation of /var/log/shell.log used to persist ESXi shell command history. Especially suspicious shortly after login or config changes.
AN0471

Detects use of clear history or clear logging commands on network device CLI to remove past activity logs.

References

  1. US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
  2. Broadcom. (2025, February 20). Auditing ESXi Shell logins and commands. Retrieved March 26, 2025.
  3. Microsoft. (2020, May 13). About History. Retrieved September 4, 2020.
  4. jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020.
  5. Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved November 17, 2024.
  6. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  7. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  8. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
  9. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  1. Black Lotus Labs. (2025, January 23). The J-Magic Show: Magic Packets and Where to find them. Retrieved February 17, 2025.
  2. M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021.
  3. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  4. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  5. Cybersecurity and Infrastructure Security Agency. (2025, March 12). AA25-071A #StopRansomware: Medusa Ransomware. Retrieved October 15, 2025.
  6. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  7. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
  8. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  9. Mathew Branwell. (2012, March 21). Securing .bash_history file. Retrieved July 8, 2017.