legitimate script that disables the command history

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml>sigma
technicques: t1070 t1070.003

Techniques

Detects scripts or commands that disabled the Powershell command history by removing psreadline module

condition: selection
selection:
  ScriptBlockText|contains|all:
  - Remove-Module
  - psreadline