Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO
Huseyin Can YUCEEL | March 12, 2025 | 3 MIN READ

LAST UPDATED ON MARCH 12, 2025

MITRE ATT&CK T1562.003 Impair Defenses: Impair Command History Logging

Impair Command History Logging is a defense evasion technique that adversaries use to manipulate or disable command history logging to hide their activity. Many operating systems, including Windows, Linux, and macOS, record command-line activity to help administrators and security teams audit system usage, detect anomalies, and investigate incidents. By impairing command history logging, attackers can erase traces of executed commands, making forensic analysis and threat hunting significantly more challenging.

In this blog post, we explain the T1562.003 Impair Command History Logging technique of the MITRE ATT&CK® framework and explore how adversaries employ Impair Command History Logging with real-world attack examples in detail.

rr25-mockup1

 

  


The Red Report 2025
The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries

GET THE REPORT

What is Command History Logging?

Command history logging refers to the practice of recording and storing a chronological record of commands executed in a computer system or software environment. This feature is commonly found in command-line interfaces, where users interact with a system by entering text-based commands. Command history logging provides users with a convenient and efficient way to review and recall previously executed commands. By maintaining a log of commands, users can track their activities, understand the sequence of operations, and reproduce specific actions when needed. 

Adversary Use of Impair Command History Logging

Adversaries manipulate or disable the logging mechanisms that record user commands, effectively erasing the digital footprint of malicious actions. By tampering with or impairing command history logging, adversaries can hide their tracks, making it challenging for system administrators and security analysts to analyze the sequence of events, identify the nature of the incident, and respond promptly. This technique can be used against Windows, Linux, and macOS operating systems.

In a Windows environment, PowerShell stores the user's command history in a file within the user's profile directory. Adversaries tamper with the ConsoleHost_history.txt using the commands below.

Set-Content -Path (Get-PSReadlineOption).HistorySavePath -Value 

In Linux and macOS environments, the command history is written to a file pointed by the environment variable HISTFILE. When a user logs off, the history is flushed to the .bash_history file in the user's home directory. Adversaries commonly tamper with the HISTFILE environment variable to manipulate command history logging. When HISTFILE is cleared or its size is set to zero, adversaries prevent the command history logs from being created.

//Clearing the HISTFILE variable

unset HISTFILE


//Setting the command history size to zero

export HISTFILESIZE=0

In July 2024, SeleniumGreed attack campaign was reported to exploit Selenium Grid services and deploy XMRig miner [1]. In this attack campaign adversaries disabled command logging for interactive shell sessions by setting the HISTFILE environment variable to /dev/null

Adversaries may also exploit the HISTCONTROL variable to manipulate command history logging. HISTCONTROL is a bash variable that controls how commands are saved on the history log. It includes a colon-separated list of values, which are:

  • Ignorespace: In the history list, lines starting with a space character are not saved.

  • Ignoredups: Lines matching the previous history entry are not saved.

  • Ignoreboth: Shorthand for 'ignorespace' and 'ignoredups.'

  • Erasedups: All previous lines matching the current line are deleted from the history list.

In another XMRig cryptominer campaign, adversaries were observed to exploit the built-in shopt (shell options) command, HISTFILE, HISTCONTROL, and HISTSIZE variables [2]. The commands below prevent additional shell commands from the attacker's session from being appended to the history file.

env_set(){

    HISTCONTROL="ignorespace${HISTCONTROL:+:$HISTCONTROL}" 2>/dev/null 1>/dev/null

    export HISTFILE=/dev/null 2>/dev/null 1>/dev/null

    unset HISTFILE 2>/dev/null 1>/dev/null

    shopt -ou history 2>/dev/null 1>/dev/null

    set +o history 2>/dev/null 1>/dev/null

    HISTSIZE=0 2>/dev/null 1>/dev/null

}

Ready to Simulate Real-World Threats from Red Report 2025?

References

[1] A. Mechtinger, G. Tikochinski, and D. Laska, "SeleniumGreed: Threat actors exploit exposed Selenium Grid services for Cryptomining," https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps

[2] M. Muir, "Spinning YARN - A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence," https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence

Table of Contents

Ghost (Cring) Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA25-050A
Emerging Threat Ghost (Cring) Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA25-050A
Learn More
Microsoft Active Directory Domain Services CVE-2025-21293 Vulnerability Explained
Emerging Threat Microsoft Active Directory Domain Services CVE-2025-21293 Vulnerability Explained
Learn More
Emerging Threat Palo Alto CVE-2024-0012 and CVE-2024-9474 Vulnerabilities Explained
Learn More
Emerging Threat Understanding and Mitigating Midnight Blizzard's RDP-Based Spear Phishing Campaign
Learn More
fortimanager
Emerging Threat CVE-2024-47575: FortiManager Missing Authentication Zero-Day Vulnerability Explained
Learn More
cisa-alert-aa24-290a
Emerging Threat Iranian Cyber Actors’ Brute Force and Credential Access Attacks: CISA Alert AA24-290A
Learn More
Emerging Threat CISA Alert AA24-249A: Russian GRU Unit 29155 Targeting U.S. and Global Critical Infrastructure
Learn More
emerging-threat
Emerging Threat CVE-2024-38063: Remote Kernel Exploitation via IPv6 in Windows
Learn More
RansomHub-Ransomware
Emerging Threat RansomHub Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA24-242A
Learn More