Description
Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they have done.
On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. The HISTFILE environment variable is also used in some ESXi systems.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)
Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that " ls" will not be saved, but "ls" would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.
On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft about_History prevent command history)(Citation: Sophos PowerShell Command History Forensics)
Adversaries may also leverage a Network Device CLI on network devices to disable historical command logging (e.g. no logging).
Platforms
Mitigations (2)
Environment Variable PermissionsM1039
Prevent users from changing the HISTCONTROL, HISTFILE, and HISTFILESIZE environment variables. (Citation: Securing bash history)
Operating System ConfigurationM1028
Make sure that the HISTCONTROL environment variable is set to “ignoredups” instead of “ignoreboth” or “ignorespace”.
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G1041 | Sea Turtle | [Sea Turtle](https://attack.mitre.org/groups/G1041) unset the Bash and MySQL history files on victim systems.(Citation: Hunt Sea Turtle 2024) |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has tampered with and disabled logging services on targeted systems.(Citation: Google Cloud Threat In... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCO... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has removed PowerShell command history through the use of the PSReadLine module by running the P... |
Associated Software (6)
| ID | Name | Type | Context |
|---|---|---|---|
| S1186 | Line Dancer | Malware | [Line Dancer](https://attack.mitre.org/software/S1186) can disable syslog on compromised devices.(Citation: Cisco ArcaneDoor 2024) |
| S9015 | BRICKSTORM | Malware | [BRICKSTORM](https://attack.mitre.org/software/S9015) has impaired command logging through the use of `dev/null` which prevents generating output from... |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) can bypass ScriptBlock logging to execute unmanaged PowerShell code from memory.(Citation: Gi... |
| S9024 | SPAWNCHIMERA | Malware | [SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has disabled logging and log forwarding on Ivanti devices targeting the `dslogserver` process.... |
| S1217 | VIRTUALPITA | Malware | [VIRTUALPITA](https://attack.mitre.org/software/S1217) can impair logging by setting the `HISTFILE` environmental variable to `0` and stopping the `vm... |
| S1161 | BPFDoor | Malware | [BPFDoor](https://attack.mitre.org/software/S1161) sets the `MYSQL_HISTFILE` and `HISTFILE` to `/dev/null` preventing the shell and MySQL from logging... |
References
- Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.
- Microsoft. (n.d.). Retrieved April 15, 2026.
- Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved November 17, 2024.
Frequently Asked Questions
What is T1690 (Prevent Command History Logging)?
T1690 is a MITRE ATT&CK technique named 'Prevent Command History Logging'. It belongs to the Defense Impairment tactic(s). Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can...
How can T1690 be detected?
Detection of T1690 (Prevent Command History Logging) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1690?
There are 2 documented mitigations for T1690. Key mitigations include: Environment Variable Permissions, Operating System Configuration.
Which threat groups use T1690?
Known threat groups using T1690 include: Sea Turtle, UNC3886, APT38, Medusa Group.