Impair Defenses: Impair Command History Logging

Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.

On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.

Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that " ls" will not be saved, but "ls" would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.

On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.[1][2][3]

Adversaries may also leverage a Network Device CLI on network devices to disable historical command logging (e.g. no logging).

ID: T1562.003
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: Linux, Network, Windows, macOS
Defense Bypassed: Host forensic analysis, Log analysis
Contributors: Austin Clark, @c2defense; Emile Kenning, Sophos; Vikas Singh, Sophos
Version: 2.2
Created: 21 February 2020
Last Modified: 30 March 2023

Procedure Examples

ID Name Description
G0082 APT38

APT38 has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCONTROL environment.[4]

S0692 SILENTTRINITY

SILENTTRINITY can bypass ScriptBlock logging to execute unmanaged PowerShell code from memory.[5]

Mitigations

ID Mitigation Description
M1039 Environment Variable Permissions

Prevent users from changing the HISTCONTROL, HISTFILE, and HISTFILESIZE environment variables. [6]

M1028 Operating System Configuration

Make sure that the HISTCONTROL environment variable is set to "ignoredups" instead of "ignoreboth" or "ignorespace".

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Monitor for modification of PowerShell command history settings through processes being created with -HistorySaveStyle SaveNothing command-line arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. For network devices, monitor for missing or inconsistencies in Network Device CLI logging present in AAA logs as well as in specific RADIUS and TACAS+ logs.

DS0013 Sensor Health Host Status

Users checking or changing their HISTCONTROL, HISTFILE, or HISTFILESIZE environment variables may be suspicious.

References