description
MITRE ATT&CK, Defense Evasion, Sub-technique T1562.003

Impair Command History Logging

Impairing command history logging allows for an attacker to operate on a compromised host while leaving minimal evidence behind.

Methods for Linux and MacOS

Clearing the HISTFILE

# Clear the command history variable
unset HISTFILE

# Set the command history size to zero
export HISTFILESIZE=0

# Configure the HISTCONTROL variable to ignore commands that begin with a space. 
HISTCONTROL=ignoreboth

Methods for Windows

# Disable the PSReadLine module
Set-PSReadlineOption -HistorySaveStyle SaveNothing

# Modify where logs are stored
Set-PSReadLineOption -HistorySavePath {File Path}

References

{% embed url="https://attack.mitre.org/techniques/T1562/003/" %}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

impair-command-history-logging.md

impair-command-history-logging.md

Impair Command History Logging

Methods for Linux and MacOS

Clearing the HISTFILE

Methods for Windows

References

Files

impair-command-history-logging.md

Latest commit

History

impair-command-history-logging.md

File metadata and controls

Impair Command History Logging

Methods for Linux and MacOS

Clearing the HISTFILE

Methods for Windows

References