EXPLORE

← Back to Explore

T1070.003

Clear Command History

In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. Whe...

ESXiLinuxmacOSNetwork DevicesWindows

14

Detections

3

Sources

8

Threat Actors

BY SOURCE

9sigma3elastic2splunk_escu

PROCEDURES (8)

General Monitoring4 detections

Auto-extracted: 4 detections for general monitoring

Powershell3 detections

Auto-extracted: 3 detections for powershell

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

Registry1 detections

Auto-extracted: 1 detections for registry

Evasion1 detections

Auto-extracted: 1 detections for evasion

Evasion1 detections

Auto-extracted: 1 detections for evasion

Powershell1 detections

Auto-extracted: 1 detections for powershell

Registry1 detections

Auto-extracted: 1 detections for registry

THREAT ACTORS (8)

APT41 APT5 Aquatic Panda Lazarus Group Magic Hound Medusa Group menuPass TeamTNT

DETECTIONS (14)

Cisco Clear Logs

Clear PowerShell History - PowerShell

Clear PowerShell History - PowerShell Module

Clearing Windows Console History

Clearing Windows Console History

Disable Powershell Command History

Linux Command History Tampering

RunMRU Registry Key Deletion

RunMRU Registry Key Deletion - Registry

Shell Command-Line History Deletion Detected via Defend for Containers

Suspicious IO.FileStream

Tampering of Shell Command-Line History

Windows ConsoleHost History File Deletion

Windows Powershell History File Deletion