Clear Command History
Last updated
Last updated
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.
On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. The command history is not available to other sessions and is deleted when the session ends.
The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\PowerShell\PSReadLine\ConsoleHost_history.txt by default). This history since the file is not deleted when the session ends.
Adversaries may run the PowerShell command Clear-History to flush entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the Consolehost_history.txt file or edit its contents to hide PowerShell commands they have run.
Example
In this Demo for simplicity I will show this in PowerShell such as Linux has its own history files of what commands have been used, PowerShell has something similar as well Console_History
We can see ithe location of this file with the Get-PSReadLineOption.
Now let's view what History does it have.
Adversaries can delete this file as well or empty it, to remove tracks on what has been done during the attack.
