What is the “PS History” Windows forensic artifact?

PowerShell History refers to the record of commands that a user has typed into a PowerShell console session. By default, the PSReadline module in modern versions of PowerShell saves this command history to a plain text file. This file, named ConsoleHost_history.txt, is stored within each user’s profile, typically located at %AppData%\Microsoft\Windows\PowerShell\PSReadline. It captures a chronological list of the cmdlets and scripts executed by the user.

In a DFIR investigation, the PowerShell history file is a goldmine for understanding an attacker’s actions, especially given the widespread use of PowerShell for legitimate administration and malicious “living-off-the-land” attacks. The entries are raw commands, providing a literal script of the attacker’s activities, such as reconnaissance (e.g., Get-Process), lateral movement (e.g., Enter-PSSession), and malware execution (e.g., Invoke-Expression). This artifact can reveal the attacker’s intent, their level of sophistication, and the specific tools or techniques they employed. Analyzing PowerShell history is crucial for detecting fileless malware, reconstructing the attack chain, and identifying compromised credentials or systems targeted by the attacker.

Collecting, Decoding, and Viewing “PS History” with TensorGuard

1. Create a TensorGuard account and sign in to the TensorGuard console at https://app.tensorguard.com.
2. Select “Case Manager”, then the plus button to create a case. This will contain your enrolled devices, their reports, and any manually submitted collections.
3. Linked inside the case menu, download the TensorGuard Forensic Collector and run it on your target system.
4. In the console, click the plus button for “New Enrollment”, copy the enrollment key, and paste it into the TensorGuard Forensic Collector on your target device.
5. Now that you have a device enrolled, select the device(s), and click “Send Signal”. Answer the questions regarding what you want to look for in the analysis, any alerting on positive findings, and if the collection and analysis should be recurring.
6. Once the report is generated, you’ll have PS History delivered in the browser, alongside an executive summary and timeline of findings.