Clear Command History (T1070.003)

Information

• Name: Clear Command History

• ID: T1070.003

• Tactics:

• Technique:

Introduction

Clear Command History (T1070.003) is a sub-technique of the MITRE ATT&CK framework under the Defense Evasion tactic, specifically categorized within the Indicator Removal on Host technique (T1070). Attackers leveraging this sub-technique attempt to erase or modify shell and command-line history data to conceal their actions, evade detection, and hinder forensic investigations. Clearing command history helps adversaries remove evidence of executed commands, thus complicating incident response and attribution efforts.

Deep Dive Into Technique

Attackers typically perform command history clearing through various methods depending on the operating system and shell environment. Common methods include:

• Unix/Linux Systems:

  • Editing or deleting shell history files (e.g., .bash_history, .zsh_history, .sh_history) located in user home directories.

  • Executing commands that erase history directly, such as:

    Copy

    history -c
    echo "" > ~/.bash_history
    rm ~/.bash_history
    ln -sf /dev/null ~/.bash_history

  • Setting environment variables to prevent history logging:

    Copy

    export HISTFILE=/dev/null
    unset HISTFILE

  • Modifying shell configurations (.bashrc, .profile) to disable history logging permanently.

• Windows Systems:

  • Deleting or modifying command history stored in registry keys or files.

  • Clearing PowerShell history through commands:

    Copy

    Clear-History
    Remove-Item (Get-PSReadlineOption).HistorySavePath

  • Removing command prompt (cmd.exe) history through registry entries or by terminating command-line sessions.

Attackers may automate these actions via scripts, batch files, or embedded commands within malware payloads. Additionally, advanced threat actors may selectively edit history files, removing only incriminating commands to avoid suspicion.

When this Technique is Usually Used

Attackers commonly utilize Clear Command History (T1070.003) during multiple phases of an attack lifecycle:

• Initial Access and Privilege Escalation:

  • Immediately after gaining initial foothold or elevated privileges to remove any evidence of reconnaissance or exploitation commands.

• Persistence and Lateral Movement:

  • After establishing persistence mechanisms or moving laterally within a network to hide traces of commands used for spreading malware or creating backdoors.

• Defense Evasion and Anti-Forensics:

  • Continuously used throughout the attack lifecycle to evade detection by security analysts and automated detection tools.

  • During cleanup phases to remove evidence of attacker activities before leaving the compromised environment.

• Exfiltration and Impact:

  • After data exfiltration or destructive actions to eliminate evidence of commands used to transfer or delete sensitive information.

How this Technique is Usually Detected

Detection of Clear Command History activities typically involves monitoring and analyzing system logs, audit trails, and user behavior. Common detection methods include:

• File Integrity Monitoring (FIM):

  • Monitoring modifications or deletions of shell history files (.bash_history, .zsh_history) and PowerShell history files.

  • Alerting on suspicious file deletions or truncations.

• Audit Logging and SIEM Tools:

  • Collecting and analyzing audit logs for suspicious commands such as history -c, Clear-History, or deletion commands targeting history files.

  • Correlating sudden absence of command history entries or unusual gaps in recorded user activity.

• Endpoint Detection and Response (EDR) Solutions:

  • Monitoring processes and commands executed on endpoints.

  • Identifying unusual commands and scripts designed to remove or disable command history logging.

• Behavioral Analysis and Anomaly Detection:

  • Establishing baselines of normal behavior for users and systems, then detecting deviations such as sudden history file modifications or deletions.

  • Alerting on environment variable changes that disable history logging (HISTFILE=/dev/null).

Specific Indicators of Compromise (IoCs) include:

• Missing or empty shell history files.

• Presence of symbolic links redirecting history files to /dev/null.

• Registry modifications or deletions related to command history on Windows systems.

• Detection of scripts or commands explicitly designed to disable or clear command history.

Why it is Important to Detect This Technique

Early detection of Clear Command History activities is critical because:

• Incident Response and Forensics:

  • Command histories provide valuable forensic evidence, facilitating investigations into intrusion activities, timelines, and attacker methodologies.

  • Loss of this data significantly complicates forensic analysis and incident response efforts.

• Attack Attribution and Threat Intelligence:

  • Command history information helps security teams attribute attacks to specific threat actors, malware families, or attack campaigns.

  • Deletion of command history hinders attribution, enabling attackers to maintain anonymity and evade accountability.

• Detection of Ongoing Intrusions:

  • Identifying attempts to clear command history can indicate an active intrusion or ongoing malicious activity.

  • Early detection allows rapid containment and remediation, minimizing potential damage.

• Preventing Further Compromise:

  • Attackers who successfully clear command history may continue operating undetected, escalating privileges, moving laterally, or exfiltrating sensitive data.

  • Detecting this technique promptly can prevent further exploitation and protect critical assets.

Examples

Real-world examples demonstrating the use of Clear Command History (T1070.003) include:

• APT28 (Fancy Bear):

  • Known to clear command history after initial compromise to evade detection. Attackers deleted or truncated .bash_history files and used commands such as history -c.

• Turla Group:

  • Routinely executed commands to clear shell histories and redirected history logging to /dev/null to ensure no commands were recorded during their espionage campaigns.

• Operation Cloud Hopper (APT10):

  • Attackers cleared PowerShell history logs using commands like Clear-History and removed command history files to conceal lateral movement and data exfiltration activities.

• Carbanak Group:

  • Utilized scripts and manual commands to clear command history after conducting financial theft operations, complicating forensic investigations by law enforcement.

Tools and commands frequently used by adversaries include:

• Unix/Linux:

  • history -c

  • rm ~/.bash_history

  • ln -sf /dev/null ~/.bash_history

  • Custom shell scripts or aliases designed to automate history clearing.

• Windows:

  • Clear-History (PowerShell)

  • Removing or editing registry keys storing command history.

  • Batch scripts or PowerShell scripts designed specifically to erase history files and logs.

Impacts of these real-world incidents include:

• Extended attacker dwell times due to delayed detection.

• Reduced forensic evidence availability, complicating remediation and attribution.

• Increased operational costs and complexity for incident response teams.

• Significant data breaches, financial losses, and reputational damage to affected organizations.