Indicator Removal: Clear Command History

Other sub-techniques of Indicator Removal (10)

ID	Name
ATAGS-T1099.001	Clear Command History
ATAGS-T1099.002	Clear Linux or Mac System Logs
ATAGS-T1099.003	Clear Mailbox Data
ATAGS-T1099.004	Clear Network Connection History and Configurations
ATAGS-T1099.005	Clear Persistence
ATAGS-T1099.006	Clear Windows Event Logs
ATAGS-T1099.007	File Deletion
ATAGS-T1099.008	Network Share Connection Removal
ATAGS-T1099.009	Relocate Malware
ATAGS-T1099.010	Timestomp

In addition to clearing system logs, Threat Actors may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.

ID: ATAGS-T1099.001

Sub-technique of: ATAGS-T1099

ⓘ

Tactic: Defense Evasion

ⓘ

Targeted Components: Software

ⓘ

Responsibility: Provider

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.