Huseyin Can YUCEEL | March 12, 2025 | 3 MIN READ

LAST UPDATED ON MARCH 12, 2025

MITRE ATT&CK T1562.003 Impair Defenses: Impair Command History Logging

Impair Command History Logging is a defense evasion technique that adversaries use to manipulate or disable command history logging to hide their activity. Many operating systems, including Windows, Linux, and macOS, record command-line activity to help administrators and security teams audit system usage, detect anomalies, and investigate incidents. By impairing command history logging, attackers can erase traces of executed commands, making forensic analysis and threat hunting significantly more challenging.

In this blog post, we explain the T1562.003 Impair Command History Logging technique of the MITRE ATT&CK® framework and explore how adversaries employ Impair Command History Logging with real-world attack examples in detail.

rr25-mockup1

 

 


The Red Report 2025
The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries

What is Command History Logging?

Command history logging refers to the practice of recording and storing a chronological record of commands executed in a computer system or software environment. This feature is commonly found in command-line interfaces, where users interact with a system by entering text-based commands. Command history logging provides users with a convenient and efficient way to review and recall previously executed commands. By maintaining a log of commands, users can track their activities, understand the sequence of operations, and reproduce specific actions when needed. 

Adversary Use of Impair Command History Logging

Adversaries manipulate or disable the logging mechanisms that record user commands, effectively erasing the digital footprint of malicious actions. By tampering with or impairing command history logging, adversaries can hide their tracks, making it challenging for system administrators and security analysts to analyze the sequence of events, identify the nature of the incident, and respond promptly. This technique can be used against Windows, Linux, and macOS operating systems.

In a Windows environment, PowerShell stores the user's command history in a file within the user's profile directory. Adversaries tamper with the ConsoleHost_history.txt using the commands below.

Set-Content -Path (Get-PSReadlineOption).HistorySavePath -Value 

In Linux and macOS environments, the command history is written to a file pointed by the environment variable HISTFILE. When a user logs off, the history is flushed to the .bash_history file in the user's home directory. Adversaries commonly tamper with the HISTFILE environment variable to manipulate command history logging. When HISTFILE is cleared or its size is set to zero, adversaries prevent the command history logs from being created.

//Clearing the HISTFILE variable

unset HISTFILE


//Setting the command history size to zero

export HISTFILESIZE=0

In July 2024, SeleniumGreed attack campaign was reported to exploit Selenium Grid services and deploy XMRig miner [1]. In this attack campaign adversaries disabled command logging for interactive shell sessions by setting the HISTFILE environment variable to /dev/null

Adversaries may also exploit the HISTCONTROL variable to manipulate command history logging. HISTCONTROL is a bash variable that controls how commands are saved on the history log. It includes a colon-separated list of values, which are:

  • Ignorespace: In the history list, lines starting with a space character are not saved.

  • Ignoredups: Lines matching the previous history entry are not saved.

  • Ignoreboth: Shorthand for 'ignorespace' and 'ignoredups.'

  • Erasedups: All previous lines matching the current line are deleted from the history list.

In another XMRig cryptominer campaign, adversaries were observed to exploit the built-in shopt (shell options) command, HISTFILE, HISTCONTROL, and HISTSIZE variables [2]. The commands below prevent additional shell commands from the attacker's session from being appended to the history file.

env_set(){

    HISTCONTROL="ignorespace${HISTCONTROL:+:$HISTCONTROL}" 2>/dev/null 1>/dev/null

    export HISTFILE=/dev/null 2>/dev/null 1>/dev/null

    unset HISTFILE 2>/dev/null 1>/dev/null

    shopt -ou history 2>/dev/null 1>/dev/null

    set +o history 2>/dev/null 1>/dev/null

    HISTSIZE=0 2>/dev/null 1>/dev/null

}

Ready to Simulate Real-World Threats from Red Report 2025?

References

[1] A. Mechtinger, G. Tikochinski, and D. Laska, "SeleniumGreed: Threat actors exploit exposed Selenium Grid services for Cryptomining," https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps

[2] M. Muir, "Spinning YARN - A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence," https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence

Table of Contents