Detections
- Home
- - Detections
- -DT002
- ID: DT002
- Created: 25th May 2024
- Updated: 14th June 2024
- Platform: Windows
- Contributor: The ITM Team
ConsoleHost_history.txt File Missing
If the ConsoleHost_history.txt
file located in C:\Users\%username%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
, is missing, this indicates that the file has been deleted. This may represent an anti-forensics technique if the subject in question is known to have used PowerShell any time.
Sections
ID | Name | Description |
---|---|---|
AF001 | Hiding or Destroying Command History | A subject clears, hides, or suppresses command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities. |
AF001.001 | Clear PowerShell History | A subject clears PowerShell command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities. PowerShell stores command history in the context of a user account. This file is located at A subject can delete their own A subject may attempt to use the |
IF027.002 | Ransomware Deployment | The subject deploys ransomware within the organization’s environment, resulting in the encryption, locking, or destructive alteration of organizational data, systems, or backups. Ransomware used by insiders may be obtained from public repositories, affiliate programs (e.g. RaaS platforms), or compiled independently using commodity builder kits. Unlike external actors who rely on phishing or remote exploitation, insiders often bypass perimeter controls by detonating ransomware from within trusted systems using local access.
Ransomware payloads are typically compiled as executables, occasionally obfuscated using packers or crypters to evade detection. Execution may be initiated via command-line, scheduled task, script wrapper, or automated loader. Encryption routines often target common file extensions recursively across accessible volumes, mapped drives, and cloud sync folders. In advanced deployments, the subject may disable volume shadow copies (vssadmin delete shadows) or stop backup agents (net stop) prior to detonation to increase impact.
In some insider scenarios, ransomware is executed selectively: targeting specific departments, shares, or systems, rather than broad detonation. This behavior may indicate intent to send a message, sabotage selectively, or avoid attribution. Payment demands may be issued internally, externally, or omitted entirely if disruption is the primary motive. |