This note documents detection patterns related to History Clearing within Windows environments.

Direct Indicators

Log	Event ID	Meaning	Forensic Value	Notes
Security	4688	Process creation	Critical	Detects commands targeting shell history, browser history, or PowerShell history files.
Sysmon	1	Process creation	Critical	Best execution source for cleanup tooling and lineage.
Sysmon	23	File delete	Critical	Captures deletion of history artifacts.
Sysmon	11	File create	Medium	History file overwrite or replacement.
PowerShell	4104	Script block logging	Critical	Captures history deletion commands.
Sysmon	12 / 13	Registry create / set	Medium	Browser cleanup or shell artifact manipulation.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
PSReadLine history deleted	`ConsoleHost_history.txt` removed	Critical	Common attacker cleanup.
Browser history removed after access	Edge / Chrome DB deletion	High	Session concealment clue.
Run dialog history cleared	RecentDocs / RunMRU cleanup	High	Anti-forensics indicator.
Batch deletion after attack chain	Cleanup immediately after execution	Critical	Strong intent signal.
File replaced with empty version	Timestomped history file	High	Partial anti-forensics.
Selective deletion only	Specific commands removed	High	Skilled operator clue.

Common Tools

Tool	Usage
PowerShell	Remove-Item history artifacts
cmd.exe	del / erase cleanup
reg.exe	Clear MRU registry entries
browser built-in cleanup	Clear local traces
custom scripts	Multi-artifact cleanup

Relevant Artifacts

Sysmon Event IDs 1, 11, 23, 12, 13
Security Event ID 4688
PowerShell 4104
PowerShell history:
- %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Browser history:
- Chrome History
- Edge History
Registry:
- RunMRU
- RecentDocs
Prefetch for cleanup tools
MFT / USN for deleted artifacts

MITRE ATT&CK References

T1070.003 Clear Command History
T1070 Indicator Removal on Host

Decision Tree

Which history cleared?
- PowerShell
- Browser
- Run dialog
Which process performed deletion?
- PowerShell
- cmd
- Browser
Timing suspicious?
- After execution
- Before disconnect
- Before log clear
Artifact recoverable?
- USN
- MFT
- Volume shadow
Expand:
- Adjacent anti-forensics
- File deletion
- Registry cleanup
Scope:
- Single user
- Multiple profiles
- Scripted cleanup

Example Detection Templates

KQL

Sysmon
| where EventID == 23
| where TargetFilename has_any ("ConsoleHost_history.txt","History")
| project TimeGenerated, Computer, TargetFilename

Sysmon
| where EventID == 1
| where CommandLine has_any ("Remove-Item","del ","erase ","Clear-History")
| project TimeGenerated, Computer, User, CommandLine

EQL

file where event.code == "23" and file.path like "*ConsoleHost_history.txt*"

sequence by host.name with maxspan=5m
  [ process where process.name in ("powershell.exe","cmd.exe") ]
  [ file where event.code == "23" ]

Sigma

title: History Clearing Detection
id: 3b9d6e44-history-clearing
status: experimental
description: Detects deletion of shell or browser history artifacts
references:
  - https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 23
  keywords:
    TargetFilename|contains:
      - 'ConsoleHost_history.txt'
      - 'History'
  condition: selection and keywords
fields:
  - TargetFilename
falsepositives:
  - User cleanup
level: high
tags:
  - attack.defense_evasion
  - attack.t1070.003

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Sysmon file delete logging	Enable Event 23	Critical	Core artifact visibility
PowerShell logging	Preserve cleanup commands	Critical	Strong source evidence
Shadow copies	Retain deleted artifacts	High	Recovery support
Central telemetry	Preserve history elsewhere	High	Reduce local-only blind spots
Registry monitoring	Watch MRU cleanup	Medium	Supplemental visibility