Potential PowerShell Console History Access Attempt via History File
Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt). This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.
Sigma rule (View on GitHub)
1title: Potential PowerShell Console History Access Attempt via History File
2id: f4ff7323-b5fc-4323-8b52-6b9408e15788
3status: experimental
4description: |
5 Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt).
6 This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.
7references:
8 - https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html
9author: Luc Génaux
10date: 2025-04-03
11tags:
12 - attack.credential-access
13 - attack.t1552.001
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 CommandLine|contains:
20 - 'ConsoleHost_history.txt'
21 - '(Get-PSReadLineOption).HistorySavePath'
22 condition: selection
23falsepositives:
24 - Legitimate access of the console history file is possible
25level: medium
References
-
I came across a situation where I discovered a user’s PSReadline ConsoleHost_history.txt file, and it ended up giving me the information I needed at the time. Most people are aware of the .bash_history file. But did you know that the PowerShell equivalent is enabled by default starting in PowerShell v5 on Windows 10? This means this file will become more present over time as systems upgrade.
Read More
Related rules
- Insensitive Subfolder Search Via Findstr.EXE
- Remote File Download Via Findstr.EXE
- Hidden Flag Set On File/Directory Via Chflags - MacOS
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock