Impair Command History Logging
Last updated
Last updated
Adversaries may impair command history logging to hide commands they run in a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.
Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups" which covers both of the previous examples. This meant that "ls" will not be saved but "ls" would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all their terminal commands.
On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\Consolehost_history.txt by default). Adversaries may change where these logs are saved using Set-PsReadLineOption -historySavePath {(FilePATH)}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.
Example:
Since cmd has history logging when you hit F7
Unfortunately for IT people this is only available in the current session once you close cmd the log disappears, but PowerShell we have the ConsoleHost File Log that we previously explained. TO disable the logging is simple.
