Evidence: Powershell ConsoleHost History
Description: Collect Powershell ConsoleHost History
Category: System
Platform: windows
Short Name: pwrshllchhst
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
PowerShell PSReadLine history records executed commands per user profile. This data is essential for detecting malicious command execution.
Data Collected
This collector gathers structured data about powershell consolehost history.
Collection Method
This collector locates ConsoleHost_history.txt files per user, copies them, and parses the tail for commands.
Forensic Value
This evidence is crucial for forensic investigations as it reveals executed commands and potential attacker behavior.
