LoFP LoFP / legitimate access of the console history file is possible

Techniques

Sample rules

Potential PowerShell Console History Access Attempt via History File

Description

Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt). This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - ConsoleHost_history.txt
  - (Get-PSReadLineOption).HistorySavePath