Question Analysis

DeviceProcessEvents | where FileName in ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has "Set-PSReadLineOption" | where ProcessCommandLine has "HistorySaveStyle" | where ProcessCommandLine has "SaveNothing" | project Timestamp, DeviceName, AccountName, ProcessCommandLine | order by Timestamp desc

DeviceProcessEvents | where ProcessCommandLine has 'Set-PSReadLineOption -HistorySaveStyle SaveNothing'

DeviceProcessEvents | where ProcessCommandLine contains 'Set-PSReadLineOption' and ProcessCommandLine contains 'SaveNothing' | project DeviceName, AccountName, ProcessCommandLine, ProcessCreationTime

DeviceProcessEvents | where (FileName =~ "powershell.exe" or FileName =~ "pwsh.exe") | where ProcessCommandLine has "Set-PSReadLineOption" and ProcessCommandLine has "-HistorySaveStyle" and ProcessCommandLine has "SaveNothing" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, FileName, FolderPath | sort by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains "Set-PSReadlineOption" | where ProcessCommandLine contains "HistorySaveStyle" | where ProcessCommandLine contains "SaveNothing" | sort by Timestamp desc | project-reorder Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, InitiatingProcessParentFileName, FileName, InitiatingProcessId, ProcessId

DeviceProcessEvents | where ProcessCommandLine contains "HistorySaveStyle" and ProcessCommandLine contains "SaveNothing" | project TimeGenerated, DeviceName, AccountDomain, AccountName, InitiatingProcessFileName, ProcessName = FileName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where TimeGenerated >= ago(7d) | where FileName in ('powershell.exe', 'pwsh.exe') | extend CommandLineLower = tolower(ProcessCommandLine) | where CommandLineLower contains 'set-psreadlineoption' and CommandLineLower contains 'historysavestyle' and CommandLineLower contains 'savenothing' | project TimeGenerated, DeviceName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId

let src_proc = DeviceProcessEvents | where isnotempty(ProcessCommandLine) | extend CmdLower = tolower(ProcessCommandLine), SourceTable = "DeviceProcessEvents"; let src_evt = DeviceEvents | where isnotempty(ProcessCommandLine) | extend CmdLower = tolower(ProcessCommandLine), SourceTable = "DeviceEvents"; union src_proc, src_evt | where (CmdLower contains "savenothing" and CmdLower contains "historysavestyle") or (CmdLower contains "set-psreadlineoption" and CmdLower contains "savenothing") or (CmdLower contains "$psreadlineoptions" and CmdLower contains "savenothing") | project TimeGenerated, Timestamp, SourceTable, DeviceName, DeviceId, AccountName = coalesce(AccountName, InitiatingProcessAccountName), AccountDomain = coalesce(AccountDomain, InitiatingProcessAccountDomain), AccountUpn = coalesce(AccountUpn, InitiatingProcessAccountUpn), InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, ProcessFileName = FileName, ProcessId, OriginalCommandLine = ProcessCommandLine | sort by TimeGenerated desc | take 200

( DeviceProcessEvents | where ( ProcessCommandLine has "HistorySaveStyle" or InitiatingProcessCommandLine has "HistorySaveStyle" or ProcessCommandLine has "SaveNothing" or InitiatingProcessCommandLine has "SaveNothing" or ProcessCommandLine has "Set-PSReadLine" or InitiatingProcessCommandLine has "Set-PSReadLine" or ProcessCommandLine has "Set-PSReadLineOption" or InitiatingProcessCommandLine has "Set-PSReadLineOption" or ProcessCommandLine has "PSReadLine" or InitiatingProcessCommandLine has "PSReadLine" or ProcessCommandLine has "$Options.HistorySaveStyle" or InitiatingProcessCommandLine has "$Options.HistorySaveStyle" or ProcessCommandLine has "PSReadlineOptions" or InitiatingProcessCommandLine has "PSReadlineOptions" ) | extend PC = tostring(ProcessCommandLine), IPC = tostring(InitiatingProcessCommandLine) | extend MatchedCommand = coalesce( extract("(?i)(Set-PSReadLineOption[^;|&]*)", 1, PC), extract("(?i)(Set-PSReadLineOption[^;|&]*)", 1, IPC), extract("(?i)(Set-PSReadLine[^;|&]*)", 1, PC), extract("(?i)(Set-PSReadLine[^;|&]*)", 1, IPC), extract("(?i)([^;|&]*HistorySaveStyle[^;|&]*)", 1, PC), extract("(?i)([^;|&]*HistorySaveStyle[^;|&]*)", 1, IPC), extract("(?i)([^;|&]*SaveNothing[^;|&]*)", 1, PC), extract("(?i)([^;|&]*SaveNothing[^;|&]*)", 1, IPC), PC, IPC ) | project TimeGenerated, DeviceName, AccountName, FileName, ProcessId, InitiatingProcessId, MatchedCommand, ProcessCommandLine=PC, InitiatingProcessCommandLine=IPC, ReportId ) | union ( DeviceEvents | where ( ProcessCommandLine has "HistorySaveStyle" or InitiatingProcessCommandLine has "HistorySaveStyle" or ProcessCommandLine has "SaveNothing" or InitiatingProcessCommandLine has "SaveNothing" or ProcessCommandLine has "Set-PSReadLine" or InitiatingProcessCommandLine has "Set-PSReadLine" or ProcessCommandLine has "Set-PSReadLineOption" or InitiatingProcessCommandLine has "Set-PSReadLineOption" or ProcessCommandLine has "PSReadLine" or InitiatingProcessCommandLine has "PSReadLine" or ProcessCommandLine has "$Options.HistorySaveStyle" or InitiatingProcessCommandLine has "$Options.HistorySaveStyle" or ProcessCommandLine has "PSReadlineOptions" or InitiatingProcessCommandLine has "PSReadlineOptions" ) | extend PC = tostring(ProcessCommandLine), IPC = tostring(InitiatingProcessCommandLine) | extend MatchedCommand = coalesce( extract("(?i)(Set-PSReadLineOption[^;|&]*)", 1, PC), extract("(?i)(Set-PSReadLineOption[^;|&]*)", 1, IPC), extract("(?i)(Set-PSReadLine[^;|&]*)", 1, PC), extract("(?i)(Set-PSReadLine[^;|&]*)", 1, IPC), extract("(?i)([^;|&]*HistorySaveStyle[^;|&]*)", 1, PC), extract("(?i)([^;|&]*HistorySaveStyle[^;|&]*)", 1, IPC), extract("(?i)([^;|&]*SaveNothing[^;|&]*)", 1, PC), extract("(?i)([^;|&]*SaveNothing[^;|&]*)", 1, IPC), PC, IPC ) | project TimeGenerated, DeviceName, AccountName, FileName, ProcessId, InitiatingProcessId, MatchedCommand, ProcessCommandLine=PC, InitiatingProcessCommandLine=IPC, ReportId ) | sort by TimeGenerated desc | take 100

// Find process events where a command sets PSReadLine history to SaveNothing DeviceProcessEvents | where Timestamp between (startofday(ago(7d)) .. now()) | where tolower(FileName) in ("powershell.exe", "pwsh.exe", "powershell_ise.exe", "pwsh", "powershell") or tolower(ProcessCommandLine) contains "set-psreadline" or tolower(ProcessCommandLine) contains "psreadline" or tolower(ProcessCommandLine) contains "HistorySaveStyle" | where // match common patterns that set history save style tolower(ProcessCommandLine) has "set-psreadlineoption" or tolower(ProcessCommandLine) has "historysavestyle" or tolower(ProcessCommandLine) has "set-psreadline" or tolower(ProcessCommandLine) has "psconsolehost" or tolower(ProcessCommandLine) has "setoptions" | extend MatchedCommand = ProcessCommandLine | project Timestamp, DeviceName, AccountName, FileName, ProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, MatchedCommand | order by Timestamp desc | take 100

let TimeWindow = 7d; DeviceProcessEvents | where TimeGenerated >= ago(TimeWindow) | where ProcessCommandLine has "Set-PSReadLineOption" | where ProcessCommandLine has "HistorySaveStyle" | where ProcessCommandLine has "SaveNothing" | project TimeGenerated, DeviceName, DeviceId, AccountDomain, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCreationTime

DeviceProcessEvents | where ProcessCommandLine contains "Set-PSReadLineOption" and ProcessCommandLine contains "-HistorySaveStyle SaveNothing" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName | order by Timestamp desc

DeviceProcessEvents | where ProcessCommandLine contains "Set-PSReadLineOption -HistorySaveStyle SaveNothing" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe") | where ProcessCommandLine has_all ("Set-PSReadLineOption", "SaveNothing") | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine has_all ("Set-PSReadLineOption", "SaveNothing") | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc

// ------------------------------------------------------------- // Detect PowerShell command that disabled history recording // (Set-PSReadLineOption -HistorySaveStyle SaveNothing) // ------------------------------------------------------------- let powershell_binaries = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]); DeviceProcessEvents | where FileName has_cs "powershell" // only PowerShell interpreters | where FileName in~ (powershell_binaries) // ---- Pull out any base-64 encoded payload so we can inspect the real command ---- | extend EncodedCommand = extract(@"(?i)(?:-|/)e(?:ncodedcommand|n|nc)?\s+([A-Za-z0-9+/=]+)", 1, ProcessCommandLine) | extend DecodedCommand = iff(isnotempty(EncodedCommand), base64_decode_tostring(EncodedCommand), "") | extend CommandText = iff(isnotempty(DecodedCommand), strcat(ProcessCommandLine, " <<<DECODED>>> ", DecodedCommand), ProcessCommandLine) // ---- Keep only executions that attempt to change the history save style ---- | where CommandText has "Set-PSReadLineOption" and CommandText has "HistorySaveStyle" and CommandText has "SaveNothing" // ---- Extract the option-setting statement for quick readability ---- | extend PSReadLineOptionCall = extract(@"(Set-PSReadLineOption[^`r`n;]*)", 1, CommandText) // ---- Present the evidence ---- | project TimeGenerated, DeviceName, AccountName, FileName, ExecutedCommand = coalesce(PSReadLineOptionCall, CommandText), FullProcessCommandLine = CommandText, FolderPath, InitiatingProcessAccountName, InitiatingProcessCommandLine | sort by TimeGenerated asc

DeviceProcessEvents | where (ProcessCommandLine has "SaveNothing" or InitiatingProcessCommandLine has "SaveNothing") and (ProcessCommandLine has "Set-PSReadlineOption" or InitiatingProcessCommandLine has "Set-PSReadlineOption") | project TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains "SaveNothing" or InitiatingProcessCommandLine contains "SaveNothing" | project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessCommandLine | sort by TimeGenerated desc

DeviceProcessEvents // Look for PowerShell or PowerShell Core processes | where FileName in~ ("powershell.exe", "pwsh.exe") // Identify invocations that disable PSReadLine history logging | where ProcessCommandLine has "-HistorySaveStyle" and ProcessCommandLine has "SaveNothing" // Show relevant details | project TimeGenerated, DeviceName, User = InitiatingProcessAccountName, ProcessCommandLine | sort by TimeGenerated desc

DeviceProcessEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) // adjust time filter as needed or rely on external time picker | where FileName in ("powershell.exe", "pwsh.exe") // include Windows PowerShell and PowerShell Core | where ProcessCommandLine has "Set-PSReadLineOption" and ProcessCommandLine has "SaveNothing" | project TimeGenerated, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, ProcessCommandLine