Skip to content

Hide Navigation Hide TOC

Linux Command History Tampering (fdc88d25-96fb-4b7c-9633-c0e417fdbd4e)

Detects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".

Cluster A Galaxy A Cluster B Galaxy B Level
Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a) Attack Pattern Linux Command History Tampering (fdc88d25-96fb-4b7c-9633-c0e417fdbd4e) Sigma-Rules 1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a) Attack Pattern 2