Find sigma rule 
Attack: Impair Defenses: Impair Command History Logging
Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they’ve done.
On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user’s home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.
Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to “ignorespace”. HISTCONTROL can also be set to ignore duplicate commands by setting it to “ignoredups”. In some Linux systems, this is set by default to “ignoreboth” which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.
On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)
Adversaries may also leverage a Network Device CLI on network devices to disable historical command logging (e.g. no logging).
MITRE
Tactic
- defense-evasion
technique
- T1562.003
Test : Disable Windows Command Line Auditing using reg.exe
OS
- windows
Description:
In Windows operating systems, command line auditing is controlled through the following registry value:
Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
Registry Value: ProcessCreationIncludeCmdLine_Enabled
When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution. This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems. By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it. Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
Because this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both: Process Creation events for reg.exe (Windows Event ID 4688, Sysmon Event ID 1) Registry events (Windows Event ID 4657, Sysmon Event ID 13)
Read more here: https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
Executor
command_prompt