legitimate access of the console history file is possible

t1552
t1552.001
windows
sigma

Techniques

t1552
t1552.001

Sample rules

Potential PowerShell Console History Access Attempt via History File

source: sigma
technicques:
- t1552
- t1552.001

Description

Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt). This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - ConsoleHost_history.txt
  - (Get-PSReadLineOption).HistorySavePath