title: Clear Command History
status: experimental
description: Clear command history in linux which is used for defense evasion. 
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml
    - https://attack.mitre.org/techniques/T1146/
author: Patrick Bareiss
date: 2019/03/24
logsource:
    product: linux
detection:
    keywords:
        - 'rm *bash_history'
        - 'echo "" > *bash_history'
        - 'cat /dev/null > *bash_history' 
        - 'ln -sf /dev/null *bash_history'
        - 'truncate -s0 *bash_history'
        # - 'unset HISTFILE'  # prone to false positives
        - 'export HISTFILESIZE=0'
        - 'history -c'
    condition: keywords
falsepositives:
    - Unknown
level: high
tags:
    - attack.defense_evasion
    - attack.t1146