Question Analysis

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "powershell.exe" | where ProcessCommandLine contains_cs "Clear-History" | project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine

DeviceProcessEvents | where ProcessCommandLine has 'powershell' and ProcessCommandLine has 'Clear-History' | project DeviceName, ProcessId, ProcessCreationTime, ProcessCommandLine

DeviceProcessEvents | where FileName == 'powershell.exe' or FileName == 'pwsh.exe' | where ProcessCommandLine contains 'Clear-History' or ProcessCommandLine contains 'Remove-Item' and ProcessCommandLine contains '-Path' and ProcessCommandLine contains 'ConsoleHost_history.txt' | project DeviceName, AccountName, ProcessCommandLine, TimeGenerated

DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has_any ("Remove-Item", "Clear-History", "del", "Erase") and (ProcessCommandLine has "(Get-PSReadlineOption).HistorySavePath" or ProcessCommandLine has "ConsoleHost_history.txt" or ProcessCommandLine has "Clear-History") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath, InitiatingProcessCommandLine

DeviceProcessEvents | where ProcessCommandLine has_any ("Clear-History", "cls", "Clear-Host") | where InitiatingProcessFileName =~ "powershell.exe" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by DeviceName, InitiatingProcessAccountSid, SHA1, ProcessCommandLine | extend Name = tostring(split(InitiatingProcessAccountSid,'-')[-1]) | extend NTDomain = tostring(split(InitiatingProcessAccountSid,'-')[-2]) | extend Account = strcat(NTDomain, '\\', Name) | project-away Name, NTDomain | order by StartTime asc, EndTime desc

DeviceProcessEvents | where FileName in ('powershell.exe', 'pwsh.exe') // Look for commands related to clearing history | where ProcessCommandLine has "Clear-History" or ProcessCommandLine has "Remove-Item" or ProcessCommandLine has "-Path" and (ProcessCommandLine contains "ConsoleHost_history.txt" or ProcessCommandLine contains "PSReadline") | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ProcessCreationTime | order by TimeGenerated desc

DeviceProcessEvents | where FileName contains "powershell" or InitiatingProcessFileName contains "powershell.exe" | where InitiatingProcessCommandLine contains "Clear-History" or InitiatingProcessCommandLine contains "Remove-Item" or InitiatingProcessCommandLine contains "Get-PSReadLineOption" | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine has "Clear-History" | project DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, ProcessCreationTime, InitiatingProcessCreationTime

let pat_ClearHistory = @"(?i)\bclear-history\b"; let pat_SetSaveNothing = @"(?i)\bset-psreadlineoption\b.*\bhistorysavestyle\b.*(savenothing|0)"; let pat_RemoveHistoryFile = @"(?i)\b(remove-item|rm|del(\.exe)?|erase)\b.*(consolehost_history\.txt|(get-psreadlineoption\)\.historysavepath)"; let pat_ClearOrEmptyFile = @"(?i)\b(clear-content|set-content)\b.*consolehost_history\.txt"; let pat_NulRedirection = @"(?i)\b(type|copy)\s+nul(\.|:)?\s*[>|>>]\s*.*consolehost_history\.txt"; let pat_HistoryFilePath = @"(?i)\\Microsoft\\(Windows\\)?PowerShell\\PSReadLine\\ConsoleHost_history\.txt"; let process_side = DeviceProcessEvents | where FileName in~ ("powershell.exe","pwsh.exe","cmd.exe") | extend CommandText = tostring(ProcessCommandLine) | where CommandText matches regex pat_ClearHistory or CommandText matches regex pat_SetSaveNothing or CommandText matches regex pat_RemoveHistoryFile or CommandText matches regex pat_ClearOrEmptyFile or CommandText matches regex pat_NulRedirection or CommandText matches regex pat_HistoryFilePath or CommandText has "(Get-PSReadLineOption).HistorySavePath" | extend MatchType = case( CommandText matches regex pat_ClearHistory, "Clear-History (session history cleared)", CommandText matches regex pat_SetSaveNothing, "Disable PSReadLine history (Set-PSReadLineOption -HistorySaveStyle SaveNothing)", CommandText matches regex pat_RemoveHistoryFile, "Delete PSReadLine history file", CommandText matches regex pat_ClearOrEmptyFile, "Clear/Overwrite PSReadLine history file", CommandText matches regex pat_NulRedirection, "Truncate PSReadLine history via NUL redirection", CommandText matches regex pat_HistoryFilePath or CommandText has "(Get-PSReadLineOption).HistorySavePath", "References PSReadLine history path", "Other"); let ps_command_side = DeviceEvents | where ActionType has "PowerShell" | extend CommandText = coalesce(tostring(AdditionalFields.Command), tostring(AdditionalFields.DecodedCommand), tostring(AdditionalFields.ScriptBlockText), tostring(AdditionalFields.ScriptText), tostring(AdditionalFields.Script), tostring(AdditionalFields.Payload)) | where isnotempty(CommandText) | where CommandText matches regex pat_ClearHistory or CommandText matches regex pat_SetSaveNothing or CommandText matches regex pat_RemoveHistoryFile or CommandText matches regex pat_ClearOrEmptyFile or CommandText matches regex pat_NulRedirection or CommandText matches regex pat_HistoryFilePath or CommandText has "(Get-PSReadLineOption).HistorySavePath" | extend MatchType = case( CommandText matches regex pat_ClearHistory, "Clear-History (session history cleared)", CommandText matches regex pat_SetSaveNothing, "Disable PSReadLine history (Set-PSReadLineOption -HistorySaveStyle SaveNothing)", CommandText matches regex pat_RemoveHistoryFile, "Delete PSReadLine history file", CommandText matches regex pat_ClearOrEmptyFile, "Clear/Overwrite PSReadLine history file", CommandText matches regex pat_NulRedirection, "Truncate PSReadLine history via NUL redirection", CommandText matches regex pat_HistoryFilePath or CommandText has "(Get-PSReadLineOption).HistorySavePath", "References PSReadLine history path", "Other"); union isfuzzy=true process_side, ps_command_side | project TimeGenerated, DeviceName, FileName, ActionType, AccountName, InitiatingProcessAccountName, CommandText, MatchType, InitiatingProcessParentFileName, InitiatingProcessCommandLine | order by TimeGenerated desc

union DeviceProcessEvents, DeviceEvents | where isnotempty(ProcessCommandLine) // normalize to lower for simpler matching | extend cmd = tolower(ProcessCommandLine) // look for explicit PowerShell history clearing commands or file removals/overwrites of the PSReadLine/ConsoleHost history file | where ( cmd contains "clear-history" or cmd contains "set-psreadlineoption" or cmd contains "psreadline" or cmd contains "consolehost_history" or cmd contains "consolehost_history.txt" or cmd contains "historysavestyle" or cmd contains "maximumhistorycount" or cmd contains "clear-host" or (cmd contains "remove-item" and (cmd contains "psreadline" or cmd contains "consolehost_history" or cmd contains "consolehost_history.txt")) or cmd matches regex "\\b(del|erase|remove-file|rm|remove)\\b.*(consolehost_history|consolehost_history.txt|psreadline)" or cmd matches regex "set-psreadlineoption\\s+.*(historysavestyle|maximumhistorycount)" ) | extend MatchedPattern = case( cmd matches regex "clear-history", "Clear-History", cmd matches regex "set-psreadlineoption", "Set-PSReadLineOption", cmd matches regex "psreadline|consolehost_history", "PSReadLine/ConsoleHost_history", cmd matches regex "remove-item", "Remove-Item", cmd matches regex "\\b(del|erase|rm|remove-file|remove)\\b", "Delete/Truncate File", "Other" ) | project TimeGenerated, DeviceName, AccountName, FileName, ProcessId, ProcessCommandLine, MatchedPattern, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc | take 500

let pattern = @"(?i)(?:\bclear-history\b|get-history\s*\|\s*remove-item|remove-item\s+[^;|&]+|(?:\bdel\b|\brm\b)\s+[^;|&]+|\bclear-host\b|consolehost_history|psreadline|export-clixml|clear-variable|remove-item\s+\$env:APPDATA[^;|&]+ConsoleHost_history|remove-item\s+\$env:USERPROFILE[^;|&]+ConsoleHost_history)"; let procEvents = DeviceProcessEvents | where isnotempty(ProcessCommandLine) | where tolower(FileName) has_any ("powershell","pwsh","powershell.exe","pwsh.exe") | extend cmd=ProcessCommandLine | extend matched=extract(pattern, 0, cmd) | where isnotempty(matched) | project Timestamp, TimeGenerated, DeviceId, DeviceName, AccountName, AccountDomain=AccountDomain, FileName, ProcessId, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine, cmd, matched; let devEvents = DeviceEvents | where isnotempty(ProcessCommandLine) | where tolower(FileName) has_any ("powershell","pwsh","powershell.exe","pwsh.exe") | extend cmd=ProcessCommandLine | extend matched=extract(pattern, 0, cmd) | where isnotempty(matched) | project Timestamp, TimeGenerated, DeviceId, DeviceName, AccountName, AccountDomain=AccountDomain, FileName, ProcessId, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine, cmd, matched; union isfuzzy=true procEvents, devEvents | summarize FirstSeen=min(coalesce(Timestamp, TimeGenerated)), LastSeen=max(coalesce(Timestamp, TimeGenerated)), AnyMatched=make_set(matched, 50), SampleCmd=any(cmd), Count=count() by DeviceId, DeviceName, AccountName, AccountDomain, ProcessId, FileName | order by LastSeen desc | limit 500

DeviceProcessEvents | where FileName in ('powershell.exe', 'pwsh.exe') | where ProcessCommandLine has_any ('clear-history', 'delete history', 'remove history', 'clear history') | project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName | order by Timestamp desc

DeviceProcessEvents | where FileName =~ 'powershell.exe' | where ProcessCommandLine contains 'Clear-History' | project TimeGenerated, DeviceName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName in ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has_any ("Clear-History", "Remove-History", "Remove-Item", "HistorySavePath") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "powershell.exe" | where isnotempty(ProcessCommandLine) | where ProcessCommandLine has_any ("Remove-Item", "Clear-History") and ProcessCommandLine has_any ("Get-PSReadLineOption", "HistorySavePath") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCreationTime, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine | order by TimeGenerated desc

// Look for PowerShell commands that clear or disable history let timeRange = 7d; // Change in the GUI or override here let PowerShellHosts = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]); let HistoryClearKeywords = dynamic([ "clear-history", "remove-history", "remove-item", "set-psreadlineoption", "consolehost_history.txt", "(get-psreadlineoption).historysavepath" ]); DeviceProcessEvents | where TimeGenerated between (ago(timeRange) .. now()) | where FileName in~ (PowerShellHosts) | where ProcessCommandLine has_any (HistoryClearKeywords) // Classify the exact technique, where possible | extend HistoryAction = case( ProcessCommandLine matches regex @"(?i)clear-history", "Clear-History cmdlet", ProcessCommandLine matches regex @"(?i)remove-history", "Remove-History cmdlet", ProcessCommandLine matches regex @"(?i)set-psreadlineoption.*-historysavepath", "Redirect history with Set-PSReadLineOption", ProcessCommandLine matches regex @"(?i)remove-item.*consolehost_history\.txt", "Delete consolehost_history.txt", ProcessCommandLine matches regex @"(?i)remove-item.*history", "Remove-Item PowerShell history file", "Other history-wipe command") | project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ProcessCommandLine, HistoryAction, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, FolderPath, SHA256 | sort by TimeGenerated desc

DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has "Clear-History" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine | sort by TimeGenerated desc

DeviceProcessEvents | where FileName has "powershell.exe" | where ProcessCommandLine has "Clear-History" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine

DeviceProcessEvents | where ProcessCommandLine has "powershell.exe" or ProcessCommandLine has "pwsh.exe" | where (ProcessCommandLine has "Clear-History") or (ProcessCommandLine has "ClearHistory(") or (ProcessCommandLine has "PSConsoleReadLine::ClearHistory") or (ProcessCommandLine has "Remove-Item" and ProcessCommandLine has "ConsoleHost_history.txt") or (ProcessCommandLine has "Set-PSReadLineOption" and ProcessCommandLine has "HistorySaveStyle SaveNothing") | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | sort by TimeGenerated desc

DeviceProcessEvents | where FileName endswith "powershell.exe" | where tolower(ProcessCommandLine) matches regex @"(?i)(clear(-| )history|remove-item\s+.*ConsoleHost_history\.txt)" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc