valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1136725728
SigmaHQ/rules/windows/powershell/powershell_clear_powershell_history.yml

26 lines
795 B
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

title: Clear PowerShell History
id: dfba4ce1-e0ea-495f-986e-97140f31af2d
status: experimental
description: Detects keywords that could indicate clearing PowerShell history
date: 2019/10/25
author: Ilyas Ochkov, oscd.community
references:
- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
tags:
- attack.defense_evasion
- attack.t1070.003
- attack.t1146 # an old one
logsource:
product: windows
service: powershell
detection:
keywords:
- 'del (Get-PSReadlineOption).HistorySavePath'
- 'Set-PSReadlineOption HistorySaveStyle SaveNothing'
- 'Remove-Item (Get-PSReadlineOption).HistorySavePath'
- 'rm (Get-PSReadlineOption).HistorySavePath'
condition: keywords
falsepositives:
- some PS-scripts
level: medium
Reference in New Issue View Git Blame Copy Permalink