heroui logo

Windows ConsoleHost History File Deletion

Splunk Security Content

View Source
Summary
This detection rule is designed to alert security analysts to the deletion of the PowerShell ConsoleHost history file, "ConsoleHost_history.txt". The file, typically located in the user’s AppData directory, contains a record of commands executed in PowerShell sessions. Attackers often attempt to delete this file to obscure their activity and evade detection, especially during post-exploitation phases of an attack. This rule utilizes Sysmon events (Event ID 23 for delete file operations and Event ID 26 for file created/deleted operations) to identify potentially malicious deletion events specifically targeting this file. By monitoring for the deletion of this file, security operations can detect potential anti-forensic behavior and unauthorized administrative actions. Implementation necessitates having Sysmon logs that capture this type of file activity, and although administrators may occasionally delete the file, it is generally a rare operation for typical users. Therefore, such events warrant further investigation.
Categories
  • Endpoint
Data Sources
  • Process
  • File
ATT&CK Techniques
  • T1070.003
Created: 2025-03-17