Clearing Windows Console History
Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
Sigma rule (View on GitHub)
1title: Clearing Windows Console History
2id: bde47d4b-9987-405c-94c7-b080410e8ea7
3status: test
4description: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
5references:
6 - https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/
7 - https://www.shellhacks.com/clear-history-powershell/
8 - https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics
9author: Austin Songer @austinsonger
10date: 2021-11-25
11modified: 2022-12-25
12tags:
13 - attack.defense-evasion
14 - attack.t1070
15 - attack.t1070.003
16logsource:
17 product: windows
18 category: ps_script
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 selection1:
22 ScriptBlockText|contains: Clear-History
23 selection2a:
24 ScriptBlockText|contains:
25 - Remove-Item
26 - rm
27 selection2b:
28 ScriptBlockText|contains:
29 - ConsoleHost_history.txt
30 - (Get-PSReadlineOption).HistorySavePath
31 condition: selection1 or selection2a and selection2b
32falsepositives:
33 - Unknown
34level: high
References
-
How to locate the PowerShell history file and how to clear the history of PowerShell commands.
Read More -
Contents: - Overview Powershell and Windows Events Get-History Console History File - Adversarial Tactics Clear-History Backup/Restore Histroy
Read More
Related rules
- Cisco Clear Logs
- DLL Load By System Process From Suspicious Locations
- Disable Powershell Command History
- Disable of ETW Trace - Powershell
- ETW Trace Evasion Activity