ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT001
  • Created: 25th May 2024
  • Updated: 14th June 2024
  • Platform: Windows
  • Contributor: The ITM Team

ConsoleHost_history.txt Created Timestamp Discrepancy

Recent modifications to the ConsoleHost_history.txt file located in C:\Users\%username%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine may indicate the file has been deleted and subsequently automatically recreated by the Operating System. This may represent an anti-forensics technique if the subject in question is known to have used PowerShell any time prior to the “Created” timestamp of the ConsoleHost_history.txt file.

Sections

ID Name Description
AF001Clear Command History

A subject clears command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities.

AF001.001Clear PowerShell History

A subject clears PowerShell command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities.

PowerShell stores command history in the context of a user account. This file is located at C:/Users/%username%/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadline.

A subject can delete their own PSReadline file without any special permissions.

A subject may attempt to use the Clear-History Cmdlet, however this will only clear commands from the current session, does not affect the PSReadline history file.