Techniques
Sample rules
Potential PowerShell Console History Access Attempt via History File
- source: sigma
- technicques:
- t1552
- t1552.001
Description
Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt). This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.
Detection logic
condition: selection
selection:
CommandLine|contains:
- ConsoleHost_history.txt
- (Get-PSReadLineOption).HistorySavePath