Anti-Forensics
Account Misuse
Clear Browser Artifacts
Clear Email Artifacts
Decrease Privileges
Delayed Execution Triggers
Delete User Account
Deletion of Volume Shadow Copy
Disk Wiping
File Deletion
File Encryption
Hide Artifacts
Hiding or Destroying Command History
Log Deletion
Log Modification
Modify Windows Registry
Network Obfuscation
Physical Destruction of Storage Media
Physical Removal of Disk Storage
Stalling
Steganography
System Shutdown
Timestomping
Tripwires
Uninstalling Software
Virtualization
Windows System Time Modification
- ID: AF001.001
- Created: 25th May 2024
- Updated: 09th June 2024
- Platform: Windows
- Contributor: The ITM Team
Clear PowerShell History
A subject clears PowerShell command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities.
PowerShell stores command history in the context of a user account. This file is located at C:/Users/%username%/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadline.
A subject can delete their own PSReadline file without any special permissions.
A subject may attempt to use the Clear-History Cmdlet, however this will only clear commands from the current session, does not affect the PSReadline history file.