ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: AF001.001
  • Created: 25th May 2024
  • Updated: 09th June 2024
  • Platform: Windows
  • Contributor: The ITM Team

Clear PowerShell History

A subject clears PowerShell command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities.

PowerShell stores command history in the context of a user account. This file is located at C:/Users/%username%/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadline.

A subject can delete their own PSReadline file without any special permissions.

A subject may attempt to use the Clear-History Cmdlet, however this will only clear commands from the current session, does not affect the PSReadline history file.

Prevention

ID Name Description
PV001No Ready System-Level Mitigation

This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system.

Detection

ID Name Description
DT001ConsoleHost_history.txt Created Timestamp Discrepancy

Recent modifications to the ConsoleHost_history.txt file located in C:\Users\%username%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine may indicate the file has been deleted and subsequently automatically recreated by the Operating System. This may represent an anti-forensics technique if the subject in question is known to have used PowerShell any time prior to the “Created” timestamp of the ConsoleHost_history.txt file.

DT002ConsoleHost_history.txt File Missing

If the ConsoleHost_history.txt file located in C:\Users\%username%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine, is missing, this indicates that the file has been deleted. This may represent an anti-forensics technique if the subject in question is known to have used PowerShell any time.

DT055PowerShell Logging

Detailed PowerShell logging is not enabled by default and must be configured.

PowerShell is able to record the processing of commands, script blocks, functions, and scripts whether invoked interactively, or through automation.

 

PowerShell logging can be enabled through Group Policy with the following: Administrative Templates → Windows Components → Windows PowerShell

 

There are 3 available logging types, they are: Module Logging, Script Block Logging and Transcription.

 

Module Logging: Records pipeline execution details, such as variable initialisation and command invocations, capturing portions of scripts and some de-obfuscated code. This logging is available since PowerShell 3.0 and generates a large volume of events, providing valuable output not captured elsewhere. Events are written to Event ID 4103.

 

Module logging can be enabled by setting the following registry values:

 

HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLoggingEnableModuleLogging = 1

 

HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging \ModuleNames* = *

 

Script Block Logging: Captures blocks of code as they are executed, including de-obfuscated code, allowing visibility into the full contents of executed scripts and commands. This feature is available in PowerShell 5.0 and records events under Event ID 4104.

 

Script block logging can be enabled by setting the following registry values:

 

HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLoggingEnableScriptBlockLogging = 1

 

Transcription: Records the input and output of entire PowerShell sessions, providing a comprehensive record of all commands executed and their results.

 

Transcription logging can be enabled by setting the following registry values:

 

HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\TranscriptionEnableTranscripting = 1

 

HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\TranscriptionEnableInvocationHeader = 1

 

HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription OutputDirectory = “” (Enter path. Empty = default)