Esc
Impair Command History Logging - T1562.003
(ATT&CK® Technique)
Definition
Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1562003["Impair Command History Logging"] --> |may-modify| UserInitScript["User Init Script"]; class T1562003 OffensiveTechniqueNode;
class UserInitScript ArtifactNode; click UserInitScript href "/dao/artifact/d3f:UserInitScript";
click T1562003 href "/offensive-technique/attack/T1562.003/"; click UserInitScript href "/dao/artifact/d3f:UserInitScript"; T1562003["Impair Command History Logging"] --> |may-modify| WindowsRegistryKey["Windows Registry Key"]; class T1562003 OffensiveTechniqueNode;
class WindowsRegistryKey ArtifactNode; click WindowsRegistryKey href "/dao/artifact/d3f:WindowsRegistryKey";
click T1562003 href "/offensive-technique/attack/T1562.003/"; click WindowsRegistryKey href "/dao/artifact/d3f:WindowsRegistryKey"; T1562003["Impair Command History Logging"] --> |modifies| ProcessEnvironmentVariable["Process Environment Variable"]; class T1562003 OffensiveTechniqueNode;
class ProcessEnvironmentVariable ArtifactNode; click ProcessEnvironmentVariable href "/dao/artifact/d3f:ProcessEnvironmentVariable";
click T1562003 href "/offensive-technique/attack/T1562.003/"; click ProcessEnvironmentVariable href "/dao/artifact/d3f:ProcessEnvironmentVariable"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | UserInitScript["User Init Script"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1562003["Impair Command History Logging"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | UserInitScript["User Init Script"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1562003["Impair Command History Logging"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DecoyFile["Decoy File"] -->
| spoofs | UserInitScript["User Init Script"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1562003["Impair Command History Logging"] ;
class DecoyFile DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | UserInitScript["User Init Script"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1562003["Impair Command History Logging"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEncryption["File Encryption"] -->
| encrypts | UserInitScript["User Init Script"];
FileEncryption["File Encryption"] -.->
| may-harden | T1562003["Impair Command History Logging"] ;
class FileEncryption DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; ApplicationConfigurationHardening["Application Configuration Hardening"] -->
| hardens | ProcessEnvironmentVariable["Process Environment Variable"];
ApplicationConfigurationHardening["Application Configuration Hardening"] -.->
| may-harden | T1562003["Impair Command History Logging"] ;
class ApplicationConfigurationHardening DefensiveTechniqueNode;
class ProcessEnvironmentVariable ArtifactNode;
click ApplicationConfigurationHardening href "/technique/d3f:ApplicationConfigurationHardening"; FileEviction["File Eviction"] -->
| deletes | UserInitScript["User Init Script"];
FileEviction["File Eviction"] -.->
| may-evict | T1562003["Impair Command History Logging"] ;
class FileEviction DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; RegistryKeyDeletion["Registry Key Deletion"] -->
| deletes | WindowsRegistryKey["Windows Registry Key"];
RegistryKeyDeletion["Registry Key Deletion"] -.->
| may-evict | T1562003["Impair Command History Logging"] ;
class RegistryKeyDeletion DefensiveTechniqueNode;
class WindowsRegistryKey ArtifactNode;
click RegistryKeyDeletion href "/technique/d3f:RegistryKeyDeletion"; LocalFilePermissions["Local File Permissions"] -->
| restricts | UserInitScript["User Init Script"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1562003["Impair Command History Logging"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | UserInitScript["User Init Script"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1562003["Impair Command History Logging"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | UserInitScript["User Init Script"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1562003["Impair Command History Logging"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; RestoreFile["Restore File"] -->
| restores | UserInitScript["User Init Script"];
RestoreFile["Restore File"] -.->
| may-restore | T1562003["Impair Command History Logging"] ;
class RestoreFile DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] -->
| restores | ProcessEnvironmentVariable["Process Environment Variable"];
RestoreConfiguration["Restore Configuration"] -.->
| may-restore | T1562003["Impair Command History Logging"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class ProcessEnvironmentVariable ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] -->
| restores | WindowsRegistryKey["Windows Registry Key"];
class RestoreConfiguration DefensiveTechniqueNode;
class WindowsRegistryKey ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; FileAnalysis["File Analysis"] -->
| analyzes | UserInitScript["User Init Script"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1562003["Impair Command History Logging"] ;
class FileAnalysis DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | UserInitScript["User Init Script"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1562003["Impair Command History Logging"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";