Adversaries may delete history files to remove evidence of their command-line activity and obfuscate their presence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential post-compromise activity and trace malicious user actions.
Detection Rule
title: History File Deletion
id: 1182f3b3-e716-4efa-99ab-d2685d04360f
status: test
description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
references:
- https://github.com/sleventyeleven/linuxprivchecker/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: Florian Roth (Nextron Systems)
date: 2022-06-20
modified: 2022-09-15
tags:
- attack.impact
- attack.t1565.001
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/rm'
- '/unlink'
- '/shred'
selection_history:
- CommandLine|contains:
- '/.bash_history'
- '/.zsh_history'
- CommandLine|endswith:
- '_history'
- '.history'
- 'zhistory'
condition: all of selection*
falsepositives:
- Legitimate administration activities
level: high
imProcessCreate
| where (TargetProcessName endswith "/rm" or TargetProcessName endswith "/unlink" or TargetProcessName endswith "/shred") and ((TargetProcessCommandLine contains "/.bash_history" or TargetProcessCommandLine contains "/.zsh_history") or (TargetProcessCommandLine endswith "_history" or TargetProcessCommandLine endswith ".history" or TargetProcessCommandLine endswith "zhistory"))Scenario: System Administrator Cleaning Bash History
Description: A system admin is performing routine maintenance and deletes the ~/.bash_history file to clear user activity logs.
Filter/Exclusion: Check for the presence of sudo or root user context, and filter events where the file is deleted by known admin users or during scheduled maintenance windows.
Scenario: Scheduled Job Removing History Files
Description: A cron job or scheduled task is configured to periodically clean up user history files as part of a cleanup process.
Filter/Exclusion: Include a filter for processes initiated by cron or systemd timers, and exclude deletions that occur during predefined cleanup times.
Scenario: User Logging Out and History File Being Cleared
Description: When a user logs out, the shell may automatically clear the ~/.bash_history file to remove session-specific commands.
Filter/Exclusion: Check for the presence of logout events (e.g., exit command or session termination), and exclude deletions that occur during normal user logoff.
Scenario: Security Tool or SIEM Agent Cleaning History Files
Description: A security tool or SIEM agent (e.g., Splunk, ELK stack) may delete history files as part of log normalization or data retention policies.
Filter/Exclusion: Filter events where the deletion is initiated by known security tools or agents, and exclude deletions that occur during log processing or retention cycles.
Scenario: User Using history -c to Clear Session History
Description: A user manually clears their bash history using the history -c command, which is a legitimate way to remove session-specific commands.
Filter/Exclusion: Filter for the presence of the history -c command in the process command line, and exclude deletions that occur in non-privileged