Skip to content

Hide Navigation Hide TOC

Linux Command History Tampering (fdc88d25-96fb-4b7c-9633-c0e417fdbd4e)

Detects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".

Cluster A Galaxy A Cluster B Galaxy B Level
Linux Command History Tampering (fdc88d25-96fb-4b7c-9633-c0e417fdbd4e) Sigma-Rules Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a) Attack Pattern 1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a) Attack Pattern 2