Clearing Windows Console History

About the rule

Rule Type

Standard

Rule Description

The Windows Console is a primary interface for executing commands and launching programs in a Windows system. The Windows Console History is typically a record of all commands and programs executed on the system. Attackers may attempt to clear this history to erase traces of their activities, including account compromises, privilege escalations, lateral movements, and more, in order to evade detection. This rule helps detect such attempts to clear the command execution history within the Windows Console.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Command executions on Windows Console → Privilege escalation → Defense Evasion → Clear Command History

Impact

• System compromise
• Defense evasion
• Persistence

Rule Requirement

Prerequisites

Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".

(((((( SCRIPTEXECUTED CONTAINS ""clear-history"" ) ))) OR (((( SCRIPTEXECUTED CONTAINS ""remove-item"" ) OR ( SCRIPTEXECUTED CONTAINS ""rm"" ) )))) AND (((( SCRIPTEXECUTED CONTAINS ""consolehost_history.txt"" ) OR ( SCRIPTEXECUTED CONTAINS ""(get-psreadlineoption).historysavepath"" ) ))))

This rule is triggered when the executed script contains the following suspicious elements:

• clear-history: A command used to clear PowerShell session command history.
• remove-item: A command used to delete or remove a file.
• rm: An alias for the remove-item command used to delete files.
• consolehost_history.txt: Refers to the file containing PowerShell command history.
• (get-psreadlineoption).historysavepath: A command used to retrieve the file path where PowerShell history is stored.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Indicator Removal (T1070); Defense Evasion: Indicator Removal - Clear Command History (T1070.003)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

When this rule is triggered, you're notified of a PowerShell script execution that clears the Windows Console History. This enables you to monitor runtime environments like PowerShell, detect attempts to clear command history, and identify potential malware activity in the system.

Author

Austin Songer @austinsonger

Future actions

Known False Positives

This rule might be triggered when admins clear the Windows Console History as part of periodic system maintenance.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Audit PowerShell executions: Continuously monitor PowerShell activities, block command executions that clear command history and restrict script execution privileges to administrators only.

Mitigation