{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/console-history/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","windows","console-history"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to remove traces of their commands from a compromised system to hinder forensic analysis and detection efforts. Clearing the console history is one such tactic that reduces the audit trail available to defenders. While not a sophisticated technique, it demonstrates an awareness of system administration practices and a desire to operate covertly. This action can complicate incident response by deleting command-line evidence, making it difficult to reconstruct the attacker's activities. The impact of this behavior is largely dependent on the sophistication of the overall attack and the reliance on console logs for security monitoring.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to a Windows system via an unknown method (e.g., compromised credentials, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker opens a command prompt (cmd.exe) or PowerShell console.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands for reconnaissance, privilege escalation, or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecls\u003c/code\u003e or \u003ccode\u003eClear-History\u003c/code\u003e command, or manually edits the console history file.\u003c/li\u003e\n\u003cli\u003eThe console history is cleared, removing a record of previous commands.\u003c/li\u003e\n\u003cli\u003eThe attacker continues malicious activities on the system, now with a reduced audit trail.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact is the reduction of forensic evidence available to security analysts. This can increase the time required to investigate an incident and potentially prevent a full understanding of the attacker's actions. The scope of impact is limited to the specific compromised system where the console history was cleared. This technique is more effective when combined with other evasion tactics, making detection more challenging.\u003c/p\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-clearing-console-history/","summary":"Adversaries may clear Windows console history to remove evidence of their activity and evade detection.","title":"Clearing Windows Console History for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-clearing-console-history/"}],"language":"en","title":"CraftedSignal Threat Feed - Console-History","version":"https://jsonfeed.org/version/1.1"}