Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0469: Analytic 0469

Detects PowerShell `Clear-History` invocation or deletion of `ConsoleHost_history.txt` to erase past PowerShell session history.

EnterpriseAN0469AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because PowerShell history clearing can remove useful evidence during an investigation. On Windows systems, use of `Clear-History` or deletion of `ConsoleHost_history.txt` may indicate a user or process is trying to erase prior PowerShell activity, which can slow incident response and weaken audit reconstruction.

Executive priority

Security leaders should treat this as an evidence-preservation and investigation-readiness control point. The priority is not just alerting on one command, but confirming whether Windows endpoint logging and retention are sufficient to reconstruct PowerShell activity even when local history is cleared.

Technical view

Validate whether SOC tooling can detect PowerShell `Clear-History` invocation and deletion of `ConsoleHost_history.txt` on Windows. Because ATT&CK provides no official detection logic or relationship context for this analytic, teams should tune detections against local administrative behavior and correlate with surrounding process, user, host, and file activity before escalation.

Likely telemetry

  • Windows process creation telemetry with command-line detail
  • PowerShell execution or script-related logs where available
  • File deletion or file modification events for `ConsoleHost_history.txt`
  • Endpoint detection telemetry covering PowerShell activity
  • SIEM records that preserve user, host, timestamp, parent process, and command context

Detection direction

  • Confirm that PowerShell command invocations containing `Clear-History` are visible in collected telemetry.
  • Confirm that deletion of `ConsoleHost_history.txt` is monitored or otherwise recoverable from endpoint/file activity telemetry.
  • Correlate with user identity, host role, parent process, and nearby PowerShell commands to separate routine administrative cleanup from suspicious evidence removal.
  • Review retention gaps: local PowerShell history deletion should not eliminate centrally collected logs needed for investigation.
  • Tune for false positives from administrators, troubleshooting scripts, or user profile cleanup processes.

Mitigation priorities

  • Prioritize centralized logging and retention for Windows endpoint and PowerShell activity so local history clearing does not remove investigative evidence.
  • Limit and monitor administrative PowerShell usage according to role and operational need.
  • Ensure incident response procedures include rapid preservation of endpoint logs and relevant user profile artifacts.
  • Use detection tuning and exception handling for known administrative workflows rather than broadly suppressing this behavior.
Analyst notes and limits

This object is a detection analytic, not a full ATT&CK technique entry. The supplied description is specific to PowerShell `Clear-History` and `ConsoleHost_history.txt` deletion on Windows. No tactics, related techniques, threat actors, campaigns, or official detection query were supplied.

Assessment is limited to the official STIX fields, external reference, and empty relationship context provided. Local logging configuration, PowerShell policy, endpoint coverage, and administrative practices are required to determine real detection value.

Official MITRE ATT&CK definition

Analytic 0469

Detects PowerShell `Clear-History` invocation or deletion of `ConsoleHost_history.txt` to erase past PowerShell session history.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ee6ffe3a9001679f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ee6ffe3a9001…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0469
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use