PowerShell One-Liner Targeting Claude Code Chat History

Rule Info

Name
PowerShell One-Liner Targeting Claude Code Chat History
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects PowerShell one-liners trying to enumerate or read files within the Claude Code conversation history directory. Claude Code stores conversation history as JSONL files under: %USERPROFILE%\.claude\projects\<hash>\<session>.jsonl Threat actors extract these files and apply regex matching to locate high-value secrets (cloud tokens, private keys, database passwords) before pivoting to infrastructure such as ESXi hosts via harvested SSH credentials.
Reference
https://www.linkedin.com/posts/mauricefielenbach_threatintel-dfir-cybersecurity-share-7468712997298016256-Rs6h/
Date
2026-06-11 00:00:00
Modified
None
Id
7ea7ba37-ff29-4052-a8e9-96635089e3cb
Tags
attack.credential-access attack.t1552.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022