1. Home
  2. Techniques
  3. Enterprise
  4. Impair Defenses
  5. Impair Command History Logging

Impair Defenses: Impair Command History Logging

ID Name
T1562.001 Disable or Modify Tools
T1562.002 Disable Windows Event Logging
T1562.003 Impair Command History Logging
T1562.004 Disable or Modify System Firewall
T1562.006 Indicator Blocking
T1562.007 Disable or Modify Cloud Firewall
T1562.008 Disable or Modify Cloud Logs
T1562.009 Safe Mode Boot
T1562.010 Downgrade Attack
T1562.011 Spoof Security Alerting
T1562.012 Disable or Modify Linux Audit System
T1562.013 Disable or Modify Network Device Firewall

Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.

On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. The HISTFILE environment variable is also used in some ESXi systems.[1]

Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that " ls" will not be saved, but "ls" would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.

On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.[2][3][4]

Adversaries may also leverage a Network Device CLI on network devices to disable historical command logging (e.g. no logging).

ID: T1562.003
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: ESXi, Linux, Network Devices, Windows, macOS
Contributors: Austin Clark, @c2defense; Emile Kenning, Sophos; Vikas Singh, Sophos
Version: 2.3
Created: 21 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0082 APT38

APT38 has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCONTROL environment.[5]
C0046 ArcaneDoor

ArcaneDoor included disabling logging on targeted Cisco ASA appliances.[6][7]
S1161 BPFDoor

BPFDoor sets the MYSQL_HISTFILE and HISTFILE to /dev/null preventing the shell and MySQL from logging history in /proc/<PID>/environ.[8]

S1186 Line Dancer

Line Dancer can disable syslog on compromised devices.[6]
G1051 Medusa Group

Medusa Group has removed PowerShell command history through the use of the PSReadLine module by running the PowerShell command Remove-Item (Get-PSReadlineOption).HistorySavePath.[9]
C0056 RedPenguin

During RedPenguin, UNC3886 used malware to clear the HISTFILE environmental vaiable and to inject into Junos OS processes to inhibit logging.[10][11]
G1041 Sea Turtle

Sea Turtle unset the Bash and MySQL history files on victim systems.[12]
S0692 SILENTTRINITY

SILENTTRINITY can bypass ScriptBlock logging to execute unmanaged PowerShell code from memory.[13]
G1048 UNC3886

UNC3886 has tampered with and disabled logging services on targeted systems.[14]
S1217 VIRTUALPITA

VIRTUALPITA can impair logging by setting the HISTFILE environmental variable to 0 and stopping the vmsyslogd service.[1]

Mitigations

ID Mitigation Description
M1039 Environment Variable Permissions

Prevent users from changing the HISTCONTROL, HISTFILE, and HISTFILESIZE environment variables. [15]
M1028 Operating System Configuration

Make sure that the HISTCONTROL environment variable is set to "ignoredups" instead of "ignoreboth" or "ignorespace".

Detection Strategy

ID Name Analytic ID Analytic Description
DET0563 Detection Strategy for Impair Defenses via Impair Command History Logging across OS platforms. AN1555

Detection of environment variable tampering (HISTFILE, HISTCONTROL, HISTFILESIZE) and absence of expected bash history writes. Correlation of unset or zeroed history variables with active shell sessions is indicative of adversarial evasion.
AN1556

Detection of bash/zsh history suppression via HISTFILE/HISTCONTROL manipulation and absence of ~/.bash_history updates. Observing environment variable changes tied to terminal processes is a strong indicator.
AN1557

Detection of PowerShell history suppression using Set-PSReadLineOption with SaveNothing or altered HistorySavePath. Correlating these options with PowerShell usage highlights adversarial evasion attempts.
AN1558

Detection of unset HISTFILE or modified history variables in ESXi shell sessions. Correlation of suspicious shell sessions with no recorded commands despite active usage.
AN1559

Detection of CLI commands that disable history logging such as 'no logging'. Anomalous lack of new commands in session logs while activity persists is a strong signal.

References

  1. Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.
  2. Microsoft. (2020, May 13). About History. Retrieved September 4, 2020.
  3. jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020.
  4. Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved November 17, 2024.
  5. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  6. Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025.
  7. Canadian Centre for Cyber Security. (2024, April 24). Cyber Activity Impacting CISCO ASA VPNs. Retrieved January 6, 2025.
  8. The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.
  1. Cybersecurity and Infrastructure Security Agency. (2025, March 12). AA25-071A #StopRansomware: Medusa Ransomware. Retrieved October 15, 2025.
  2. Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025.
  3. Juniper Networks, Cybersecurity R&D. (2025, March 11). The RedPenguin Malware Incident. Retrieved June 24, 2025.
  4. Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024.
  5. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  6. Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.
  7. Mathew Branwell. (2012, March 21). Securing .bash_history file. Retrieved July 8, 2017.