MITRE ATT&CK Technique
Description
Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. On Linux and macOS, command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>~/.bash_history</code>. The <code>HISTCONTROL</code> environment variable keeps track of what should be saved by the <code>history</code> command and eventually into the <code>~/.bash_history</code> file when a user logs out. <code>HISTCONTROL</code> does not exist by default on macOS, but can be set by the user and will be respected. The `HISTFILE` environment variable is also used in some ESXi systems.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022) Adversaries may clear the history environment variable (<code>unset HISTFILE</code>) or set the command history size to zero (<code>export HISTFILESIZE=0</code>) to prevent logging of commands. Additionally, <code>HISTCONTROL</code> can be configured to ignore commands that start with a space by simply setting it to "ignorespace". <code>HISTCONTROL</code> can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands. On Windows systems, the <code>PSReadLine</code> module tracks commands used in all PowerShell sessions and writes them to a file (<code>$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt</code> by default). Adversaries may change where these logs are saved using <code>Set-PSReadLineOption -HistorySavePath {File Path}</code>. This will cause <code>ConsoleHost_history.txt</code> to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command <code>Set-PSReadlineOption -HistorySaveStyle SaveNothing</code>.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics) Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to disable historical command logging (e.g. <code>no logging</code>).
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-21T20:56:06.498Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may impair command history logging to hide '
'commands they run on a compromised system. Various command '
'interpreters keep track of the commands users type in their '
"terminal so that users can retrace what they've done. \n"
'\n'
'On Linux and macOS, command history is tracked in a file '
'pointed to by the environment variable <code>HISTFILE</code>. '
'When a user logs off a system, this information is flushed to '
"a file in the user's home directory called "
'<code>~/.bash_history</code>. The <code>HISTCONTROL</code> '
'environment variable keeps track of what should be saved by '
'the <code>history</code> command and eventually into the '
'<code>~/.bash_history</code> file when a user logs out. '
'<code>HISTCONTROL</code> does not exist by default on macOS, '
'but can be set by the user and will be respected. The '
'`HISTFILE` environment variable is also used in some ESXi '
'systems.(Citation: Google Cloud Threat Intelligence ESXi VIBs '
'2022)\n'
'\n'
'Adversaries may clear the history environment variable '
'(<code>unset HISTFILE</code>) or set the command history size '
'to zero (<code>export HISTFILESIZE=0</code>) to prevent '
'logging of commands. Additionally, <code>HISTCONTROL</code> '
'can be configured to ignore commands that start with a space '
'by simply setting it to "ignorespace". '
'<code>HISTCONTROL</code> can also be set to ignore duplicate '
'commands by setting it to "ignoredups". In some Linux '
'systems, this is set by default to "ignoreboth" which covers '
'both of the previous examples. This means that “ ls” will not '
'be saved, but “ls” would be saved by history. Adversaries can '
'abuse this to operate without leaving traces by simply '
'prepending a space to all of their terminal commands. \n'
'\n'
'On Windows systems, the <code>PSReadLine</code> module tracks '
'commands used in all PowerShell sessions and writes them to a '
'file '
'(<code>$env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt</code> '
'by default). Adversaries may change where these logs are '
'saved using <code>Set-PSReadLineOption -HistorySavePath {File '
'Path}</code>. This will cause '
'<code>ConsoleHost_history.txt</code> to stop receiving logs. '
'Additionally, it is possible to turn off logging to this file '
'using the PowerShell command <code>Set-PSReadlineOption '
'-HistorySaveStyle SaveNothing</code>.(Citation: Microsoft '
'PowerShell Command History)(Citation: Sophos PowerShell '
'command audit)(Citation: Sophos PowerShell Command History '
'Forensics)\n'
'\n'
'Adversaries may also leverage a [Network Device '
'CLI](https://attack.mitre.org/techniques/T1059/008) on '
'network devices to disable historical command logging (e.g. '
'<code>no logging</code>).',
'external_references': [{'external_id': 'T1562.003',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1562/003'},
{'description': 'Alexander Marvi, Jeremy Koppen, '
'Tufail Ahmed, and Jonathan Lepore. '
'(2022, September 29). Bad VIB(E)s '
'Part One: Investigating Novel '
'Malware Persistence Within ESXi '
'Hypervisors. Retrieved March 26, '
'2025.',
'source_name': 'Google Cloud Threat Intelligence '
'ESXi VIBs 2022',
'url': 'https://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence'},
{'description': 'jak. (2020, June 27). Live Discover '
'- PowerShell command audit. '
'Retrieved August 21, 2020.',
'source_name': 'Sophos PowerShell command audit',
'url': 'https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit'},
{'description': 'Microsoft. (2020, May 13). About '
'History. Retrieved September 4, '
'2020.',
'source_name': 'Microsoft PowerShell Command History',
'url': 'https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7'},
{'description': 'Vikas, S. (2020, August 26). '
'PowerShell Command History '
'Forensics. Retrieved November 17, '
'2024.',
'source_name': 'Sophos PowerShell Command History '
'Forensics',
'url': 'https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics'}],
'id': 'attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:49:05.941Z',
'name': 'Impair Command History Logging',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Vikas Singh, Sophos',
'Emile Kenning, Sophos',
'Austin Clark, @c2defense'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['ESXi', 'Linux', 'macOS', 'Network Devices', 'Windows'],
'x_mitre_version': '2.3'}