Description
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.
Adversaries may also leverage a Network Device CLI on network devices to clear command history data (clear logging and/or clear history).(Citation: US-CERT-TA18-106A) On ESXi servers, command history may be manually removed from the /var/log/shell.log file.(Citation: Broadcom ESXi Shell Audit)
On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.
The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)
Adversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)
Platforms
Mitigations (3)
Remote Data StorageM1029
Forward logging of historical data to remote data store and centralized logging solution to preserve historical command line log data.
Restrict File and Directory PermissionsM1022
Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their ~/.bash_history or ConsoleHost_history.txt files.
Environment Variable PermissionsM1039
Making the environment variables associated with command history read only may ensure that the history is preserved.(Citation: Securing bash history)
Threat Groups (8)
| ID | Group | Context |
|---|---|---|
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) cleared command history in Linux environments to remove traces of activity after operations.(Ci... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has cleared command history by running the PowerShell command `Remove-Item (Get-PSReadlineOption... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has cleared command history with <code>history -c</code>.(Citation: Trend Micro TeamTNT)(Citation: Ci... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used [Wevtutil](https://attack.mitre.org/software/S0645) to remove PowerShell execution logs.(Ci... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has removed mailbox export requests from compromised Exchange servers.(Citation: DFIR Report APT3... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has routinely deleted log files on a compromised router, including automatic log deletion throu... |
| G1023 | APT5 | [APT5](https://attack.mitre.org/groups/G1023) has cleared the command history on targeted ESXi servers.(Citation: Mandiant Pulse Secure Update May 202... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) attempted to remove evidence of some of its activity by deleting Bash histories.(Citation: FireEye APT4... |
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S1203 | J-magic | Malware | [J-magic](https://attack.mitre.org/software/S1203) can overwrite previously executed command line arguments.(Citation: Lumen J-Magic JAN 2025) |
| S0641 | Kobalos | Malware | [Kobalos](https://attack.mitre.org/software/S0641) can remove all command history on compromised hosts.(Citation: ESET Kobalos Feb 2021) |
| S0601 | Hildegard | Malware | [Hildegard](https://attack.mitre.org/software/S0601) has used history -c to clear script shell logs.(Citation: Unit 42 Hildegard Malware) |
References
- Broadcom. (2025, February 20). Auditing ESXi Shell logins and commands. Retrieved March 26, 2025.
- jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020.
- Microsoft. (2020, May 13). About History. Retrieved September 4, 2020.
- US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
- Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved November 17, 2024.
Frequently Asked Questions
What is T1070.003 (Clear Command History)?
T1070.003 is a MITRE ATT&CK technique named 'Clear Command History'. It belongs to the Stealth tactic(s). In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track...
How can T1070.003 be detected?
Detection of T1070.003 (Clear Command History) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1070.003?
There are 3 documented mitigations for T1070.003. Key mitigations include: Remote Data Storage, Restrict File and Directory Permissions, Environment Variable Permissions.
Which threat groups use T1070.003?
Known threat groups using T1070.003 include: Aquatic Panda, Medusa Group, TeamTNT, menuPass, Magic Hound, Lazarus Group, APT5, APT41.