Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.

Read More

Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.

Read More

Clear command history in network OS which is used for defense evasion

Read More

Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.

Read More

Detects scripts or commands that disabled the Powershell command history by removing psreadline module

Read More

Detects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".

Read More

Open a handle on the drive volume via the \.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.

Read More