Since PowerShell 4/5+, we’ve had a wealth of fantastic detection and forensic artifacts around PowerShell activity, such as Script Block logging and transcripts, which I will expand on in subsequent posts. However, one of the lesser discussed yet still valuable artifacts is the ConsoleHost_History.txt file inside the Users directory containing up to 4096 of the last commands run in a PowerShell console. For my *nix users, it is very similar to the bash_history file.

While this artifact may seem less informative than Script Block logging and transcripts, you may occaisonally find situations where it is the best artifact you have around PowerShell activity because other more verbose artfacts may simply not be present at all. This is especially true when script block logs/transcripts are either not enabled (very common) or they are maliciously disabled by a threat actor.

The default location for this file is %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt.

It will generally contain up to 4096 commands run by the user that owns this profile, however it is possible to increase this command history with the following command: Set-PSReadlineOption -MaximumHistoryCount 10000.

One of the first things to consider is that anytime you perform a triage acquisition of a victim system, be sure to include this location. This isn’t a file you’d generally target for consumption into your SIEM, but you can certainly use it for post-compromise analysis as well as proactive threat hunting.

In a recent IR, we observed suspicious PowerShell activity that aimed to disable things like Micorosft Defender and Script Block logging. Unfortunately, the script blocks were of little use after that point but the commands used to disable Defender were captured by the ConsoleHost_History.txt file.

Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableRealtimeMonitoring $true -DisableBehaviorMonitoring $true -DisableArchiveScanning $true -DisableSc $truca-DisableIOAVProtection $true -MAPSReporting Disabled -SubmitSampletrue -MAPSReporting Disabled -SubmitSamplesConsent 2  
Set-MpPreference -DisableRealtimeMonitoring $true -DisableBehaviorue -DisableScriptScanning $tIOAVProtection $trce -MAPSReporting Disabled -SubmitSamplesCE _MAPSReporting Disabled -SubmitSamplesCE _MAPSReporting Disabled -SubmitSamplesConsent 2  

This provided yara signature material to quickly assess any other systems with similar activity. With this signature we can now quickly scan every system for similar activity, regardless if they were shipping PowerShell logs to the SIEM or not. Now, with a simple yara scan such as one accomplished with Velociraptor, we can hunt for unusual PowerShell activity in this file across the fleet.

Now, it’s worth noting that ConsoleHost_History can be disabled as well, but this is less common in my experience. A simple command to accomplish this could be Set-PSReadlineOption -HistorySaveStyle SaveNothing. However, this example would only impact the session it was run in, and history would be re-enabled for subsequent sessions.

For additional reading, check out this great post: https://woshub.com/powershell-commands-history/