Skip to content

DET0563 Detection Strategy for Impair Defenses via Impair Command History Logging across OS platforms.

Item Value
ID DET0563
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1562.003 (Impair Command History Logging)

Analytics

Linux

AN1555

Detection of environment variable tampering (HISTFILE, HISTCONTROL, HISTFILESIZE) and absence of expected bash history writes. Correlation of unset or zeroed history variables with active shell sessions is indicative of adversarial evasion.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL execve calls modifying HISTFILE or HISTCONTROL via unset/export
Process Creation (DC0032) linux:osquery processes modifying environment variables related to history logging
Mutable Elements
Field Description
MonitoredUsers Specific accounts or groups where history logging must always be enforced.
TimeWindow Correlation period to detect unset/export of history variables during active shells.

macOS

AN1556

Detection of bash/zsh history suppression via HISTFILE/HISTCONTROL manipulation and absence of ~/.bash_history updates. Observing environment variable changes tied to terminal processes is a strong indicator.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog Set or unset HIST* variables in shell environment
Mutable Elements
Field Description
ShellProfiles Different shells (bash, zsh, fish) may require customized monitoring for history tampering.

Windows

AN1557

Detection of PowerShell history suppression using Set-PSReadLineOption with SaveNothing or altered HistorySavePath. Correlating these options with PowerShell usage highlights adversarial evasion attempts.

Log Sources
Data Component Name Channel
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4103, 4104, 4105, 4106
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
AllowedPaths List of acceptable PowerShell history save paths for baseline comparison.

ESXi

AN1558

Detection of unset HISTFILE or modified history variables in ESXi shell sessions. Correlation of suspicious shell sessions with no recorded commands despite active usage.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:shell unset HISTFILE or HISTFILESIZE modifications
Mutable Elements
Field Description
AdminSessions Differentiate root/admin shell sessions from adversarial misuse of ESXi shell.

Network Devices

AN1559

Detection of CLI commands that disable history logging such as ‘no logging’. Anomalous lack of new commands in session logs while activity persists is a strong signal.

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:cli Commands like ‘no logging’ or equivalents that disable session history
Mutable Elements
Field Description
DeviceVendors Command syntax differs across Cisco, Juniper, Fortinet, etc., requiring vendor-aware tuning.