Clearing Windows Console History

calendar Jan 4, 2023 · attack.defense_evasion attack.t1070 attack.t1070.003  ·
Share on: linkedin copy

Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.

Sigma rule (View on GitHub)

 1title: Clearing Windows Console History
 2id: bde47d4b-9987-405c-94c7-b080410e8ea7
 3status: test
 4description: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
 5references:
 6    - https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/
 7    - https://www.shellhacks.com/clear-history-powershell/
 8    - https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics
 9author: Austin Songer @austinsonger
10date: 2021/11/25
11modified: 2022/12/25
12tags:
13    - attack.defense_evasion
14    - attack.t1070
15    - attack.t1070.003
16logsource:
17    product: windows
18    category: ps_script
19    definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21    selection1:
22        ScriptBlockText|contains: Clear-History
23    selection2a:
24        ScriptBlockText|contains:
25            - Remove-Item
26            - rm
27    selection2b:
28        ScriptBlockText|contains:
29            - ConsoleHost_history.txt
30            - (Get-PSReadlineOption).HistorySavePath
31    condition: selection1 or selection2a and selection2b
32falsepositives:
33    - Unknown
34level: high

References

Related rules

to-top