The deletion of PowerShell console history logs may indicate an adversary attempting to erase forensic evidence of their activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evidence destruction and uncover hidden malicious actions.
Detection Rule
title: PowerShell Console History Logs Deleted
id: ff301988-c231-4bd0-834c-ac9d73b86586
status: test
description: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
tags:
- attack.defense-evasion
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|endswith: '\PSReadLine\ConsoleHost_history.txt'
condition: selection
falsepositives:
- Unknown
level: medium
imFileEvent
| where TargetFileName endswith "\\PSReadLine\\ConsoleHost_history.txt"Scenario: Scheduled Job Cleanup
Description: A legitimate scheduled job runs to clean up temporary files, including PowerShell history logs.
Filter/Exclusion: ProcessName != "schtasks" OR ProcessName != "TaskScheduler" or check for known cleanup tools like CCleaner or Disk Cleanup.
Scenario: System Maintenance Task
Description: An admin task or script (e.g., PsExec, PowerShell.exe with -Command) is used to remove old logs as part of routine system maintenance.
Filter/Exclusion: ProcessName != "PowerShell.exe" OR CommandLine NOT LIKE "*-Command*" or check for known maintenance scripts in a trusted directory.
Scenario: User-Initiated Log Cleanup
Description: A user manually deletes PowerShell history logs using the Clear-History cmdlet or by editing the .history file directly.
Filter/Exclusion: CommandLine NOT LIKE "*Clear-History*" OR CommandLine NOT LIKE "*Edit*" or check for user accounts with known legitimate cleanup behavior.
Scenario: Antivirus or Endpoint Protection Scan
Description: An endpoint protection tool (e.g., Microsoft Defender, CrowdStrike, or Kaspersky) deletes PowerShell history logs as part of a scan or quarantine process.
Filter/Exclusion: ProcessName != "MsMpEng.exe" OR ProcessName != "Mcshield.exe" or check for known AV processes in the system.
Scenario: PowerShell Module Update or Installation
Description: A PowerShell module update or installation process deletes old history logs as part of the installation or configuration.
Filter/Exclusion: CommandLine NOT LIKE "*Update-Module*" OR CommandLine NOT LIKE "*Install-Module*" or check for known module management tools like PowerShellGet.