
Summary
This detection rule is designed to alert security analysts to the deletion of the PowerShell ConsoleHost history file, "ConsoleHost_history.txt". The file, typically located in the user’s AppData directory, contains a record of commands executed in PowerShell sessions. Attackers often attempt to delete this file to obscure their activity and evade detection, especially during post-exploitation phases of an attack. This rule utilizes Sysmon events (Event ID 23 for delete file operations and Event ID 26 for file created/deleted operations) to identify potentially malicious deletion events specifically targeting this file. By monitoring for the deletion of this file, security operations can detect potential anti-forensic behavior and unauthorized administrative actions. Implementation necessitates having Sysmon logs that capture this type of file activity, and although administrators may occasionally delete the file, it is generally a rare operation for typical users. Therefore, such events warrant further investigation.
Categories
- Endpoint
Data Sources
- Process
- File
ATT&CK Techniques
- T1070.003
Created: 2025-03-17