Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Clear command history in network OS which is used for defense evasion
status testauthor Austin Clarkid ceb407f6-8277-439b-951f-e4210e3ed956
view Sigma YAML
title: Cisco Clear Logs
id: ceb407f6-8277-439b-951f-e4210e3ed956
status: test
description: Clear command history in network OS which is used for defense evasion
references:
- https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html
- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609
author: Austin Clark
date: 2019-08-12
modified: 2023-05-26
tags:
- attack.stealth
- attack.t1070.003
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'clear logging'
- 'clear archive'
condition: keywords
falsepositives:
- Legitimate administrators may run these commands
level: high
high
Clearing Windows Console History
Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
status testauthor Austin Songer @austinsongerid bde47d4b-9987-405c-94c7-b080410e8ea7
view Sigma YAML
title: Clearing Windows Console History
id: bde47d4b-9987-405c-94c7-b080410e8ea7
status: test
description: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
references:
- https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/
- https://www.shellhacks.com/clear-history-powershell/
- https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1070
- attack.t1070.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection1:
ScriptBlockText|contains: Clear-History
selection2a:
ScriptBlockText|contains:
- Remove-Item
- rm
selection2b:
ScriptBlockText|contains:
- ConsoleHost_history.txt
- (Get-PSReadlineOption).HistorySavePath
condition: selection1 or selection2a and selection2b
falsepositives:
- Unknown
level: high
high
Disable Powershell Command History
Detects scripts or commands that disabled the Powershell command history by removing psreadline module
status testauthor Ali Alwashaliid 602f5669-6927-4688-84db-0d4b7afb2150
view Sigma YAML
title: Disable Powershell Command History
id: 602f5669-6927-4688-84db-0d4b7afb2150
status: test
description: Detects scripts or commands that disabled the Powershell command history by removing psreadline module
references:
- https://twitter.com/DissectMalware/status/1062879286749773824
author: Ali Alwashali
date: 2022-08-21
tags:
- attack.stealth
- attack.t1070.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- Remove-Module
- psreadline
condition: selection
falsepositives:
- Legitimate script that disables the command history
level: high
high
Linux Command History Tampering
Detects commands that try to clear or tamper with the Linux command history.
This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".
status testauthor Patrick Bareissid fdc88d25-96fb-4b7c-9633-c0e417fdbd4e
view Sigma YAML
title: Linux Command History Tampering
id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e
status: test
description: |
Detects commands that try to clear or tamper with the Linux command history.
This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md
- https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics
- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/
author: Patrick Bareiss
date: 2019-03-24
modified: 2024-04-17
tags:
- attack.stealth
- attack.t1070.003
logsource:
product: linux
detection:
keywords:
- 'cat /dev/null >*sh_history'
- 'cat /dev/zero >*sh_history'
- 'chattr +i*sh_history'
- 'echo "" >*sh_history'
- 'empty_bash_history'
- 'export HISTFILESIZE=0'
- 'history -c'
- 'history -w'
- 'ln -sf /dev/null *sh_history'
- 'ln -sf /dev/zero *sh_history'
- 'rm *sh_history'
- 'shopt -ou history'
- 'shopt -uo history'
- 'shred *sh_history'
- 'truncate -s0 *sh_history'
# - 'unset HISTFILE' # prone to false positives
condition: keywords
falsepositives:
- Unknown
level: high
high
RunMRU Registry Key Deletion
Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog.
In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
Adversaries may delete this key to cover their tracks after executing commands.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id c11aecef-9c37-45a6-9c07-bc0782f963fd
view Sigma YAML
title: RunMRU Registry Key Deletion
id: c11aecef-9c37-45a6-9c07-bc0782f963fd
related:
- id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55
type: similar
status: experimental
description: |
Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog.
In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
Adversaries may delete this key to cover their tracks after executing commands.
references:
- https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-25
tags:
- attack.stealth
- attack.t1070.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli:
CommandLine|contains|all:
- ' del'
- '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
RunMRU Registry Key Deletion - Registry
Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog.
In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
Adversaries may delete this key to cover their tracks after executing commands.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55
view Sigma YAML
title: RunMRU Registry Key Deletion - Registry
id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55
related:
- id: c11aecef-9c37-45a6-9c07-bc0782f963fd
type: similar
status: experimental
description: |
Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog.
In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
Adversaries may delete this key to cover their tracks after executing commands.
references:
- https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-25
tags:
- attack.stealth
- attack.t1070.003
logsource:
category: registry_delete
product: windows
detection:
selection:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_runmru/info.yml
medium
Clear PowerShell History - PowerShell
Detects keywords that could indicate clearing PowerShell history
status testauthor Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.communityid 26b692dc-1722-49b2-b496-a8258aa6371d
view Sigma YAML
title: Clear PowerShell History - PowerShell
id: 26b692dc-1722-49b2-b496-a8258aa6371d
related:
- id: dfba4ce1-e0ea-495f-986e-97140f31af2d
type: derived
status: test
description: Detects keywords that could indicate clearing PowerShell history
references:
- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2022-01-25
modified: 2022-12-02
tags:
- attack.stealth
- attack.t1070.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection1a:
ScriptBlockText|contains:
- 'del'
- 'Remove-Item'
- 'rm'
selection1b:
ScriptBlockText|contains: '(Get-PSReadlineOption).HistorySavePath'
selection_2:
ScriptBlockText|contains|all:
- 'Set-PSReadlineOption'
- '–HistorySaveStyle' # not sure if the homoglyph –/- is intended, just checking for both
- 'SaveNothing'
selection_3:
ScriptBlockText|contains|all:
- 'Set-PSReadlineOption'
- '-HistorySaveStyle'
- 'SaveNothing'
condition: 1 of selection_* or all of selection1*
falsepositives:
- Legitimate PowerShell scripts
level: medium
medium
Clear PowerShell History - PowerShell Module
Detects keywords that could indicate clearing PowerShell history
status testauthor Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.communityid f99276ad-d122-4989-a09a-d00904a5f9d2
view Sigma YAML
title: Clear PowerShell History - PowerShell Module
id: f99276ad-d122-4989-a09a-d00904a5f9d2
related:
- id: dfba4ce1-e0ea-495f-986e-97140f31af2d
type: derived
status: test
description: Detects keywords that could indicate clearing PowerShell history
references:
- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2019-10-25
modified: 2022-12-02
tags:
- attack.stealth
- attack.t1070.003
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_1a_payload:
Payload|contains:
- 'del'
- 'Remove-Item'
- 'rm'
selection_1b_payload:
Payload|contains: '(Get-PSReadlineOption).HistorySavePath'
selection_payload_2:
Payload|contains|all:
- 'Set-PSReadlineOption'
- '–HistorySaveStyle' # not sure if the homoglyph –/- is intended, just checking for both
- 'SaveNothing'
selection_payload_3:
Payload|contains|all:
- 'Set-PSReadlineOption'
- '-HistorySaveStyle'
- 'SaveNothing'
condition: 1 of selection_payload_* or all of selection_1*
falsepositives:
- Legitimate PowerShell scripts
level: medium
medium
Suspicious IO.FileStream
Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
status testauthor frack113id 70ad982f-67c8-40e0-a955-b920c2fa05cb
view Sigma YAML
title: Suspicious IO.FileStream
id: 70ad982f-67c8-40e0-a955-b920c2fa05cb
status: test
description: Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md
author: frack113
date: 2022-01-09
modified: 2022-03-05
tags:
- attack.stealth
- attack.t1070.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- New-Object
- IO.FileStream
- '\\\\.\\'
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium