title: Clear PowerShell History
id: dfba4ce1-e0ea-495f-986e-97140f31af2d
status: experimental
description: Detects keywords that could indicate clearing PowerShell history
date: 2019/10/25
author: Ilyas Ochkov, oscd.community, Jonhnathan Ribeiro
references:
    - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
tags:
    - attack.defense_evasion
    - attack.t1070.003
    - attack.t1146  # an old one
logsource:
    product: windows
    service: powershell
detection:
    selection1:
        Message|contains:
            - 'del'
            - 'Set-PSReadlineOption'
            - 'Remove-Item'
            - 'rm'
    selection2:
        Message|contains:
            - '(Get-PSReadlineOption).HistorySavePath'
    selection3:
        Message|contains:
        - '–HistorySaveStyle'
        - 'SaveNothing'
    condition: selection1 and (selection2 or selection3)
falsepositives:
    - some PS-scripts
level: medium