Powershell ConsoleHost History

Overview

Evidence: Powershell ConsoleHost History Description: Collect Powershell ConsoleHost History Category: System Platform: windows Short Name: pwrshllchhst Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

PowerShell PSReadLine history records executed commands per user profile. This data is essential for detecting malicious command execution.

Data Collected

This collector gathers structured data about powershell consolehost history.

Collection Method

This collector locates ConsoleHost_history.txt files per user, copies them, and parses the tail for commands.

Forensic Value

This evidence is crucial for forensic investigations as it reveals executed commands and potential attacker behavior.