Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0165: Behavioral Detection of Command History Clearing

This detection strategy matters because clearing command history is a common way intruders try to erase the trail of what was done with a compromised accou...

EnterpriseDET0165Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because clearing command history is a common way intruders try to erase the trail of what was done with a compromised account. Even though the detection object has no official description or detection logic, its relationship to ATT&CK technique T1070.003 indicates defenders should treat command-history tampering as an evidence-preservation and investigation-readiness issue across the supported related environments: ESXi, Linux, macOS, and network devices.

Executive priority

Prioritize this as an incident response and auditability control gap: if command history can be removed without detection or compensating telemetry, investigations may lose key context about unauthorized activity. Leaders should ask whether privileged and administrative sessions are logged outside the endpoint or device being administered, whether retention supports investigations, and whether SOC playbooks treat history clearing as a potential stealth indicator rather than a routine housekeeping event.

Technical view

For SOC, detection engineering, and IR teams, validate monitoring around the related technique Clear Command History (T1070.003), categorized under stealth. Focus on whether activity affecting shell or command interpreter history can be observed independently from the local history file itself. Because the detection strategy object does not specify platforms, tactics, or detection logic, implementation should be scoped using the related technique platforms: ESXi, Linux, macOS, and network devices. Analysts should correlate command-history clearing indicators with account context, recent privileged access, remote administration, and other suspicious activity rather than treating every instance as malicious.

Likely telemetry

  • Shell or command interpreter history file metadata and modification events where available
  • Process execution or command-line telemetry associated with administrative sessions
  • Authentication and session logs for compromised or privileged accounts
  • Remote administration logs for ESXi, Linux, macOS, and network devices where applicable
  • File integrity or audit records for user history artifacts

Detection direction

  • Confirm whether command-history clearing events are visible in centralized telemetry, not only in local history files that may be modified or removed.
  • Tune detections around context: privileged users, unusual login sources, activity near other stealth or cleanup behaviors, and changes following administrative access.
  • Account for legitimate administrative or privacy practices that may clear history; require correlation before escalation where local norms support benign use.
  • Validate coverage separately for ESXi, Linux, macOS, and network devices because available history artifacts and logging mechanisms differ.
  • Use the relationship to T1070.003 as the primary analytic anchor; the supplied detection strategy object does not provide official detection logic.

Mitigation priorities

  • Preserve administrative activity in centralized logs with retention suitable for incident response and compliance evidence.
  • Limit and monitor privileged account use so command-history tampering is tied to accountable identities and sessions.
  • Harden logging so local history modification does not remove the only record of commands executed.
  • Review IR playbooks to ensure suspected history clearing triggers evidence preservation and broader account/session investigation.
  • Assess platform-specific logging gaps for ESXi, Linux, macOS, and network devices before claiming detection readiness.
Analyst notes and limits

DET0165 is a detection strategy object for Behavioral Detection of Command History Clearing and is linked to ATT&CK technique T1070.003, Clear Command History. The business value is in validating whether the organization can still reconstruct activity when an adversary attempts to conceal commands used during an intrusion.

The supplied detection strategy has no official description, detection text, tactics, or platforms. Platform and tactic context comes only from the related technique. Local command interpreter behavior, logging configuration, administrative norms, and retention settings are required to turn this into a reliable detection or control assessment.

Official MITRE ATT&CK definition

Behavioral Detection of Command History Clearing

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1070.003 Clear Command History Sub-technique This object detects Clear Command History.
Relationship explorer

All related ATT&CK context

detects · Technique T1070.003: Clear Command History Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5d126c336158d8ad...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5d126c336158…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0165
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use