Linux Command History Tampering

calendar Apr 28, 2026 · attack.stealth attack.t1070.003  ·
Share on: linkedin copy

Detects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".

Sigma rule (View on GitHub)

 1title: Linux Command History Tampering
 2id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e
 3status: test
 4description: |
 5    Detects commands that try to clear or tamper with the Linux command history.
 6    This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md
 9    - https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics
10    - https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/
11author: Patrick Bareiss
12date: 2019-03-24
13modified: 2024-04-17
14tags:
15    - attack.stealth
16    - attack.t1070.003
17logsource:
18    product: linux
19detection:
20    keywords:
21        - 'cat /dev/null >*sh_history'
22        - 'cat /dev/zero >*sh_history'
23        - 'chattr +i*sh_history'
24        - 'echo "" >*sh_history'
25        - 'empty_bash_history'
26        - 'export HISTFILESIZE=0'
27        - 'history -c'
28        - 'history -w'
29        - 'ln -sf /dev/null *sh_history'
30        - 'ln -sf /dev/zero *sh_history'
31        - 'rm *sh_history'
32        - 'shopt -ou history'
33        - 'shopt -uo history'
34        - 'shred *sh_history'
35        - 'truncate -s0 *sh_history'
36        # - 'unset HISTFILE'  # prone to false positives
37    condition: keywords
38falsepositives:
39    - Unknown
40level: high

References

Related rules

to-top