rules/windows/powershell/powershell_clear_powershell_history.yml

title: Clear PowerShell History
id: dfba4ce1-e0ea-495f-986e-97140f31af2d
status: experimental
description: Detects keywords that could indicate clearing PowerShell history
date: 2019/10/25
modified: 2020/11/28
author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
references:
    - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
tags:
    - attack.defense_evasion
    - attack.t1070.003
    - attack.t1146  # an old one
logsource:
    product: windows
    service: powershell
    definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled
detection:
    selection_1:
        EventID: 4104
    selection_2:
        ScriptBlockText|contains:
            - 'del'
            - 'Remove-Item'
            - 'rm'
        ScriptBlockText|contains|all:
            - '(Get-PSReadlineOption).HistorySavePath'
    selection_3:
        ScriptBlockText|contains|all:
            - 'Set-PSReadlineOption'
            - '–HistorySaveStyle'
            - 'SaveNothing'
    selection_4:
        EventID: 4103
    selection_5:
        Payload|contains:
            - 'del'
            - 'Remove-Item'
            - 'rm'
        Payload|contains|all:
            - '(Get-PSReadlineOption).HistorySavePath'
    selection_6:
        Payload|contains|all:
            - 'Set-PSReadlineOption'
            - '–HistorySaveStyle'
            - 'SaveNothing'
    condition: selection_1 and ( selection_2 or selection_3 ) or 
               selection_4 and ( selection_5 or selection_6 ) 
falsepositives:
    - Legitimate PowerShell scripts
level: medium
-											ilyas ochkov contribution
										
										
											2019-10-29 03:44:22 +03:00
+								title: Clear PowerShell History
-											UUIDs + moved unsupported logic
										
										
											2019-12-19 23:56:36 +01:00
+								id: dfba4ce1-e0ea-495f-986e-97140f31af2d
-											ilyas ochkov contribution
										
										
											2019-10-29 03:44:22 +03:00
+								status: experimental
 								description: Detects keywords that could indicate clearing PowerShell history
 								date: 2019/10/25
-											Update powershell_clear_powershell_history.yml
										
										
											2020-11-28 09:26:18 +01:00
+								modified: 2020/11/28
 								author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
-											ilyas ochkov contribution
										
										
											2019-10-29 03:44:22 +03:00
+								references:
 								    - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
 								tags:
 								    - attack.defense_evasion
-											fix: wrong MITRE ATT&CK ids used in the beta version
										
										
											2020-07-14 17:53:32 +02:00
+								    - attack.t1070.003
-											windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future.
										
										
											2020-08-24 00:01:50 +00:00
+								    - attack.t1146  # an old one
-											ilyas ochkov contribution
										
										
											2019-10-29 03:44:22 +03:00
+								logsource:
 								    product: windows
 								    service: powershell
-											fix powershell_clear_powershell_history error
										
										
											2021-08-21 10:00:48 +02:00
+								    definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled
-											ilyas ochkov contribution
										
										
											2019-10-29 03:44:22 +03:00
+								detection:
-											Update powershell_clear_powershell_history.yml
										
										
											2020-11-28 09:26:18 +01:00
+								    selection_1:
 								        EventID: 4104
 								    selection_2:
 								        ScriptBlockText|contains:
-											Fix missing logic and Field
										
										
											2020-11-26 22:46:17 -03:00
+								            - 'del'
-											Update powershell_clear_powershell_history.yml
										
										
											2020-11-28 09:26:18 +01:00
+								            - 'Remove-Item'
 								            - 'rm'
 								        ScriptBlockText|contains|all:
 								            - '(Get-PSReadlineOption).HistorySavePath'
 								    selection_3:
 								        ScriptBlockText|contains|all:
-											Fix missing logic and Field
										
										
											2020-11-26 22:46:17 -03:00
+								            - 'Set-PSReadlineOption'
-											Update powershell_clear_powershell_history.yml
										
										
											2020-11-28 09:26:18 +01:00
+								            - '–HistorySaveStyle'
 								            - 'SaveNothing'
 								    selection_4:
 								        EventID: 4103
 								    selection_5:
 								        Payload|contains:
 								            - 'del'
-											Fix missing logic and Field
										
										
											2020-11-26 22:46:17 -03:00
+								            - 'Remove-Item'
 								            - 'rm'
-											Update powershell_clear_powershell_history.yml
										
										
											2020-11-28 09:26:18 +01:00
+								        Payload|contains|all:
-											Fix missing logic and Field
										
										
											2020-11-26 22:46:17 -03:00
+								            - '(Get-PSReadlineOption).HistorySavePath'
-											Update powershell_clear_powershell_history.yml
										
										
											2020-11-28 09:26:18 +01:00
+								    selection_6:
 								        Payload|contains|all:
 								            - 'Set-PSReadlineOption'
 								            - '–HistorySaveStyle'
 								            - 'SaveNothing'
 								    condition: selection_1 and ( selection_2 or selection_3 ) or
 								               selection_4 and ( selection_5 or selection_6 )
-											ilyas ochkov contribution
										
										
											2019-10-29 03:44:22 +03:00
+								falsepositives:
-											Update powershell_clear_powershell_history.yml
										
										
											2020-11-28 09:26:18 +01:00
+								    - Legitimate PowerShell scripts
-											ilyas ochkov contribution
										
										
											2019-10-29 03:44:22 +03:00
+								level: medium