Esc
Impair Command History Logging - T1562.003
(ATT&CK® Technique)
Definition
Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1562003["Impair Command History Logging"] --> |modifies| ProcessEnvironmentVariable["Process Environment Variable"]; class T1562003 OffensiveTechniqueNode;
class ProcessEnvironmentVariable ArtifactNode; click ProcessEnvironmentVariable href "../../../dao/artifact/d3f:ProcessEnvironmentVariable";
click T1562003 href "../../../offensive-technique/attack/T1562.003/"; click ProcessEnvironmentVariable href "../../../dao/artifact/d3f:ProcessEnvironmentVariable"; T1562003["Impair Command History Logging"] --> |may-modify| UserInitScript["User Init Script"]; class T1562003 OffensiveTechniqueNode;
class UserInitScript ArtifactNode; click UserInitScript href "../../../dao/artifact/d3f:UserInitScript";
click T1562003 href "../../../offensive-technique/attack/T1562.003/"; click UserInitScript href "../../../dao/artifact/d3f:UserInitScript"; T1562003["Impair Command History Logging"] --> |may-modify| WindowsRegistryKey["Windows Registry Key"]; class T1562003 OffensiveTechniqueNode;
class WindowsRegistryKey ArtifactNode; click WindowsRegistryKey href "../../../dao/artifact/d3f:WindowsRegistryKey";
click T1562003 href "../../../offensive-technique/attack/T1562.003/"; click WindowsRegistryKey href "../../../dao/artifact/d3f:WindowsRegistryKey"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | UserInitScript["User Init Script"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1562003["Impair Command History Logging"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click DynamicAnalysis href "../../../technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | UserInitScript["User Init Script"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1562003["Impair Command History Logging"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click EmulatedFileAnalysis href "../../../technique/d3f:EmulatedFileAnalysis"; RegistryKeyDeletion["Registry Key Deletion"] -->
| deletes | WindowsRegistryKey["Windows Registry Key"];
RegistryKeyDeletion["Registry Key Deletion"] -.->
| may-evict | T1562003["Impair Command History Logging"] ;
class RegistryKeyDeletion DefensiveTechniqueNode;
class WindowsRegistryKey ArtifactNode;
click RegistryKeyDeletion href "../../../technique/d3f:RegistryKeyDeletion"; FileEviction["File Eviction"] -->
| deletes | UserInitScript["User Init Script"];
FileEviction["File Eviction"] -.->
| may-evict | T1562003["Impair Command History Logging"] ;
class FileEviction DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileEviction href "../../../technique/d3f:FileEviction"; DecoyFile["Decoy File"] -->
| spoofs | UserInitScript["User Init Script"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1562003["Impair Command History Logging"] ;
class DecoyFile DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click DecoyFile href "../../../technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | UserInitScript["User Init Script"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1562003["Impair Command History Logging"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileIntegrityMonitoring href "../../../technique/d3f:FileIntegrityMonitoring"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | UserInitScript["User Init Script"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1562003["Impair Command History Logging"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click ExecutableAllowlisting href "../../../technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | UserInitScript["User Init Script"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1562003["Impair Command History Logging"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click ExecutableDenylisting href "../../../technique/d3f:ExecutableDenylisting"; ContentQuarantine["Content Quarantine"] -->
| quarantines | UserInitScript["User Init Script"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1562003["Impair Command History Logging"] ;
class ContentQuarantine DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click ContentQuarantine href "../../../technique/d3f:ContentQuarantine"; ContentQuarantine["Content Quarantine"] -->
| quarantines | WindowsRegistryKey["Windows Registry Key"];
class ContentQuarantine DefensiveTechniqueNode;
class WindowsRegistryKey ArtifactNode;
click ContentQuarantine href "../../../technique/d3f:ContentQuarantine"; FileEncryption["File Encryption"] -->
| encrypts | UserInitScript["User Init Script"];
FileEncryption["File Encryption"] -.->
| may-harden | T1562003["Impair Command History Logging"] ;
class FileEncryption DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileEncryption href "../../../technique/d3f:FileEncryption"; ContentModification["Content Modification"] -->
| modifies | UserInitScript["User Init Script"];
ContentModification["Content Modification"] -.->
| may-isolate | T1562003["Impair Command History Logging"] ;
class ContentModification DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click ContentModification href "../../../technique/d3f:ContentModification"; RestoreConfiguration["Restore Configuration"] -->
| restores | ProcessEnvironmentVariable["Process Environment Variable"];
RestoreConfiguration["Restore Configuration"] -.->
| may-restore | T1562003["Impair Command History Logging"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class ProcessEnvironmentVariable ArtifactNode;
click RestoreConfiguration href "../../../technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] -->
| restores | WindowsRegistryKey["Windows Registry Key"];
class RestoreConfiguration DefensiveTechniqueNode;
class WindowsRegistryKey ArtifactNode;
click RestoreConfiguration href "../../../technique/d3f:RestoreConfiguration"; RestoreFile["Restore File"] -->
| restores | UserInitScript["User Init Script"];
RestoreFile["Restore File"] -.->
| may-restore | T1562003["Impair Command History Logging"] ;
class RestoreFile DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click RestoreFile href "../../../technique/d3f:RestoreFile"; ApplicationConfigurationHardening["Application Configuration Hardening"] -->
| hardens | ProcessEnvironmentVariable["Process Environment Variable"];
ApplicationConfigurationHardening["Application Configuration Hardening"] -.->
| may-harden | T1562003["Impair Command History Logging"] ;
class ApplicationConfigurationHardening DefensiveTechniqueNode;
class ProcessEnvironmentVariable ArtifactNode;
click ApplicationConfigurationHardening href "../../../technique/d3f:ApplicationConfigurationHardening"; LocalFilePermissions["Local File Permissions"] -->
| restricts | UserInitScript["User Init Script"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1562003["Impair Command History Logging"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click LocalFilePermissions href "../../../technique/d3f:LocalFilePermissions"; FileAnalysis["File Analysis"] -->
| analyzes | UserInitScript["User Init Script"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1562003["Impair Command History Logging"] ;
class FileAnalysis DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileAnalysis href "../../../technique/d3f:FileAnalysis"; ContentFiltering["Content Filtering"] -->
| filters | UserInitScript["User Init Script"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1562003["Impair Command History Logging"] ;
class ContentFiltering DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click ContentFiltering href "../../../technique/d3f:ContentFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | UserInitScript["User Init Script"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1562003["Impair Command History Logging"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click RemoteFileAccessMediation href "../../../technique/d3f:RemoteFileAccessMediation";