Anti-Forensics
Clear Browser Artifacts
Clear Command History
Clear Operating System Logs
Delete User Account
Disk Wiping
File Deletion
File Encryption
Hide Artifacts
Log Tampering
Modify Windows Registry
Physical Destruction of Storage Media
Physical Removal of Disk Storage
Steganography
System Shutdown
Timestomping
Tripwires
Uninstalling Software
Use of a Virtual Machine
- ID: AF001.001
- Created: 25th May 2024
- Updated: 09th June 2024
- Platform: Windows
- Contributor: The ITM Team
Clear PowerShell History
A subject clears PowerShell command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities.
PowerShell stores command history in the context of a user account. This file is located at C:/Users/%username%/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadline
.
A subject can delete their own PSReadline
file without any special permissions.
A subject may attempt to use the Clear-History
Cmdlet, however this will only clear commands from the current session, does not affect the PSReadline history file.
Prevention
ID | Name | Description |
---|---|---|
PV001 | No Ready System-Level Mitigation | This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system. |
Detection
ID | Name | Description |
---|---|---|
DT001 | ConsoleHost_history.txt Created Timestamp Discrepancy | Recent modifications to the |
DT002 | ConsoleHost_history.txt File Missing | If the |
DT055 | PowerShell Logging | Detailed PowerShell logging is not enabled by default and must be configured. PowerShell is able to record the processing of commands, script blocks, functions, and scripts whether invoked interactively, or through automation. These can be reviewed as Windows Event logs to the PowerShellCore/Operational log as Event ID 4104. |