AN1557: Analytic 1557
Detection of PowerShell history suppression using Set-PSReadLineOption with SaveNothing or altered HistorySavePath. Correlating these options with PowerShell usage highlights adversarial evasion attempts.
Analyst context for executives and security teams
This analytic matters because it looks for users or processes changing PowerShell settings so command history is not saved or is saved somewhere unexpected. For leaders, the business issue is not the setting itself; it is the loss of investigative evidence during a Windows incident. If PowerShell history is suppressed, responders may have less context to reconstruct activity, determine scope, and produce audit-ready incident records.
Executive priority
Prioritize validation where Windows administration and incident response depend on PowerShell evidence. Security leaders should ask whether PowerShell activity is centrally logged independently of local history files, whether SOC playbooks treat history suppression as an evasion indicator, and whether incident response can still reconstruct activity when local console history is missing or redirected.
Technical view
For Windows environments, validate detection logic for Set-PSReadLineOption usage with SaveNothing or changes to HistorySavePath, then correlate that activity with broader PowerShell execution. Because no ATT&CK tactics or relationships are supplied, treat this as a focused detection analytic for PowerShell history suppression rather than a complete behavior chain. Detection engineers should test whether the environment captures the command content, parent process, user, host, timestamp, and surrounding PowerShell activity needed to distinguish administrative preference changes from suspicious evasion.
Likely telemetry
- PowerShell command content showing Set-PSReadLineOption
- PowerShell execution telemetry with user, host, and timestamp context
- Windows process creation records for PowerShell hosts and command-line arguments
- PowerShell operational, module, or script logging where enabled
- File or path-related evidence for altered PowerShell history locations when available
Detection direction
- Alert or hunt on Set-PSReadLineOption configured with SaveNothing or an altered HistorySavePath.
- Correlate the setting change with subsequent or preceding PowerShell usage on the same host and user account.
- Tune for legitimate administrator profile configuration, automation, or hardening scripts that intentionally modify PSReadLine history behavior.
- Do not rely only on the local PowerShell history file; validate centralized logging because the behavior specifically affects history availability.
- Record enough context for IR triage: account, host, process lineage, command content, and nearby PowerShell activity.
Mitigation priorities
- Ensure centralized PowerShell and process telemetry is enabled for Windows systems where PowerShell is used for administration.
- Define expected administrative use of PSReadLine configuration and investigate deviations from that baseline.
- Preserve incident response evidence sources that are independent of local PowerShell history files.
- Review privileged account and administrative workstation monitoring because history suppression is more material when performed by high-impact users.
- Document logging and monitoring coverage as compliance and investigation evidence where PowerShell activity is in scope.
Analyst notes and limits
The supplied object is a detection analytic, not a full ATT&CK technique entry. Its value is primarily evidentiary: it helps identify attempts to reduce visibility into PowerShell activity by suppressing or redirecting history. Local environment baselines are necessary to separate benign preference changes from suspicious activity.
Official detection logic, ATT&CK tactics, related techniques, and relationship context were not supplied. This take is limited to the Windows platform and the described PowerShell PSReadLine history suppression behavior. It does not imply active exploitation, attribution, impact, or guaranteed detection coverage.
Analytic 1557
Detection of PowerShell history suppression using Set-PSReadLineOption with SaveNothing or altered HistorySavePath. Correlating these options with PowerShell usage highlights adversarial evasion attempts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0577f6d55323… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1557Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.