Skip to content
AIR Knowledge Base

Powershell ConsoleHost History

Overview

Section titled “Overview”

Evidence: Powershell ConsoleHost History
Description: Collect Powershell ConsoleHost History
Category: System
Platform: windows
Short Name: pwrshllchhst
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Section titled “Background”

PowerShell PSReadLine history records executed commands per user profile. This data is essential for detecting malicious command execution.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about powershell consolehost history.

Collection Method

Section titled “Collection Method”

This collector locates ConsoleHost_history.txt files per user, copies them, and parses the tail for commands.

Forensic Value

Section titled “Forensic Value”

This evidence is crucial for forensic investigations as it reveals executed commands and potential attacker behavior.