Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Linux Command History Tampering

Detects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Patrick BareissCreated Sun Mar 24Updated Wed Apr 17fdc88d25-96fb-4b7c-9633-c0e417fdbd4elinux
Log Source
Linux
ProductLinux← raw: linux
Detection Logic
Detection Logic1 selector
detection:
    keywords:
        - 'cat /dev/null >*sh_history'
        - 'cat /dev/zero >*sh_history'
        - 'chattr +i*sh_history'
        - 'echo "" >*sh_history'
        - 'empty_bash_history'
        - 'export HISTFILESIZE=0'
        - 'history -c'
        - 'history -w'
        - 'ln -sf /dev/null *sh_history'
        - 'ln -sf /dev/zero *sh_history'
        - 'rm *sh_history'
        - 'shopt -ou history'
        - 'shopt -uo history'
        - 'shred *sh_history'
        - 'truncate -s0 *sh_history'
        # - 'unset HISTFILE'  # prone to false positives
    condition: keywords
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
2
Resolving title…
hackers-arise.com
3
Resolving title…
cadosecurity.com
MITRE ATT&CK
Rule Metadata
Rule ID
fdc88d25-96fb-4b7c-9633-c0e417fdbd4e
Status
test
Level
high
Type
Detection
Created
Sun Mar 24
Modified
Wed Apr 17
Author
Patrick Bareiss
Path
rules/linux/builtin/lnx_shell_clear_cmd_history.yml
Raw Tags
attack.defense-evasionattack.t1070.003
View on GitHub