Windows ConsoleHost History File Deletion

Author: Teoderick Contreras, Splunk
Source: upstream

The following analytic detects the deletion of the ConsoleHost_history.txt file, which stores command history for PowerShell sessions. Attackers may attempt to remove this file to cover their tracks and evade detection during post-exploitation activities. This detection focuses on file deletion commands executed via PowerShell, Command Prompt, or scripting languages that specifically target ConsoleHost_history.txt, typically located at %APPDATA%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt. Identifying such activity can help uncover potential anti-forensic behavior and suspicious administrative actions.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1070.003` Indicator Removal: Clear Command History

Event coverage

Provider	Event ID	Title
Sysmon	23	FileDelete (File Delete archived)
Sysmon	26	FileDeleteDetected (File Delete logged)

Stages and Predicates

Stage 1: `search`

search EventCode IN ("23", "26") TargetFilename="*\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt"

Stage 2: `stats`

stats BY action, dest, dvc, file_path, file_hash, file_name, file_modify_time, process_name, process_exec, process_id, process_path, user_id, vendor_product, process_guid, signature, signature_id, user

Stage 3: `search`

search

Stage 4: `search`

search

Stage 5: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	in	`"23"` corpus 6 (splunk 6) `"26"` corpus 6 (splunk 6)
`TargetFilename`	eq	`"*\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt"`

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Excessive File Deletion In WinDefender Folder [splunk]
Windows Data Destruction Recursive Exec Files Deletion [splunk]
Windows Default Rdp File Deletion [splunk]
Windows High File Deletion Frequency [splunk]
Windows RDP Cache File Deletion [splunk]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Excessive File Deletion In WinDefender Folder [splunk]
Windows Data Destruction Recursive Exec Files Deletion [splunk]
Windows Default Rdp File Deletion [splunk]
Windows High File Deletion Frequency [splunk]
Windows RDP Cache File Deletion [splunk]