This detection rule identifies instances where PowerShell is used to delete its command history file ('ConsoleHost_history.txt'). Such behavior may signal an attempt by attackers to erase traces of their activity and evade detection. The detection is based on events logged by PowerShell Script Block Logging, specifically tracking deletions of the history file through commands like 'Remove-Item' and associated PowerShell execution activity. While there are legitimate reasons for users to clear their history, patterns of frequent deletions should trigger further investigation as they may indicate malicious intent. The implementation requires enabling PowerShell Script Block Logging across relevant endpoints. Reviewing the behavior and context of this deletion is crucial to ascertain whether it is a benign or malicious action.