LoFP / an administrator may delete the consolehost history file on a specific machine, potentially triggering this detection. however, this action is uncommon for regular users who are not accustomed to using the powershell command line

Techniques

• T1070.003

Sample rules

Windows ConsoleHost History File Deletion

• source: splunk
• technicques:
  • T1070.003

Description

The following analytic detects the deletion of the ConsoleHost_history.txt file, which stores command history for PowerShell sessions. Attackers may attempt to remove this file to cover their tracks and evade detection during post-exploitation activities. This detection focuses on file deletion commands executed via PowerShell, Command Prompt, or scripting languages that specifically target ConsoleHost_history.txt, typically located at %APPDATA%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt. Identifying such activity can help uncover potential anti-forensic behavior and suspicious administrative actions.

Detection logic

`sysmon` EventCode IN ("23","26") TargetFilename = "*\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt" 
| stats count min(_time) as firstTime, max(_time) as lastTime by action dest dvc file_path file_hash file_name file_modify_time process_name process_exec process_id process_path user_id vendor_product process_guid signature signature_id user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_consolehost_history_file_deletion_filter`