T1562.003 Impair Command History Logging
Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they’ve done.
On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE
. When a user logs off a system, this information is flushed to a file in the user’s home directory called ~/.bash_history
. The HISTCONTROL
environment variable keeps track of what should be saved by the history
command and eventually into the ~/.bash_history
file when a user logs out. HISTCONTROL
does not exist by default on macOS, but can be set by the user and will be respected.
Adversaries may clear the history environment variable (unset HISTFILE
) or set the command history size to zero (export HISTFILESIZE=0
) to prevent logging of commands. Additionally, HISTCONTROL
can be configured to ignore commands that start with a space by simply setting it to “ignorespace”. HISTCONTROL
can also be set to ignore duplicate commands by setting it to “ignoredups”. In some Linux systems, this is set by default to “ignoreboth” which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.
On Windows systems, the PSReadLine
module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}
. This will cause ConsoleHost_history.txt
to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing
.213
Adversaries may also leverage a Network Device CLI on network devices to disable historical command logging (e.g. no logging
).
Item | Value |
---|---|
ID | T1562.003 |
Sub-techniques | T1562.001, T1562.002, T1562.003, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1562.010, T1562.011 |
Tactics | TA0005 |
Platforms | Linux, Network, Windows, macOS |
Version | 2.2 |
Created | 21 February 2020 |
Last Modified | 30 March 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0082 | APT38 | APT38 has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCONTROL environment.6 |
S0692 | SILENTTRINITY | SILENTTRINITY can bypass ScriptBlock logging to execute unmanaged PowerShell code from memory.5 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1039 | Environment Variable Permissions | Prevent users from changing the HISTCONTROL , HISTFILE , and HISTFILESIZE environment variables. 4 |
M1028 | Operating System Configuration | Make sure that the HISTCONTROL environment variable is set to “ignoredups” instead of “ignoreboth” or “ignorespace”. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0013 | Sensor Health | Host Status |
References
-
jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020. ↩
-
Microsoft. (2020, May 13). About History. Retrieved September 4, 2020. ↩
-
Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved September 4, 2020. ↩
-
Mathew Branwell. (2012, March 21). Securing .bash_history file. Retrieved July 8, 2017. ↩
-
Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. ↩
-
DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. ↩