# Impair Command History Logging **ATT\&CK ID:** [T1562.003](https://attack.mitre.org/techniques/T1562/003/) **Permissions Required:** **Administrator** **Description** Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. On Windows systems, the `PSReadLine` module tracks commands used in all PowerShell sessions and writes them to a file (`$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt` by default). Adversaries may change where these logs are saved using `Set-PSReadLineOption -HistorySavePath {File Path}`. This will cause `ConsoleHost_history.txt` to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command `Set-PSReadlineOption -HistorySaveStyle SaveNothing` \[[Source](https://attack.mitre.org/techniques/T1562/003/)] ## Techniques ### PowerShell ```powershell Set-PSReadlineOption -HistorySaveStyle SaveNothing del (Get-PSReadlineOption).HistorySavePath ``` **Note:** Console history saving will only save for "full" terminal sessions. A PowerShell terminal within `netcat` or `Metasploit` will fail to save the history. ## Scenario Examples of how wiping the console history can help remove evidence of events such as account creation and commands that communicate with malicious command and control systems. From the attackers perspective we see evidence of where we have been running commands within PowerShell. We can see the attackers IP and where they have added the local user *Barney* to the local administrators group. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FfBju6h1RTKlJXIy8BDVa%2FImpair-CommandLogging.png?alt=media\&token=6eadd5d8-0aea-48a6-997e-a733d281aedb) Running the command below we firstly disable the history saving to the `ConsoleHost_history.txt` file then, delete the contents. ```powershell Set-PSReadlineOption -HistorySaveStyle SaveNothing del (Get-PSReadlineOption).HistorySavePath ``` After doing so we find the file is no longer being created once PowerShell commands have been executed. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FNwQsYVk3K86wZyxr0K0L%2FImpair-CommandLoggingDeletion.png?alt=media\&token=f20f06eb-9f7a-4204-a88d-d3ceeac9f7ef) ## Further Reading **PowerShell History File:** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/defense-evasion/impair-defenses/impair-command-history-logging.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.