PowerShell Enumeration of Claude Code Chat History

Rule Info

Name
PowerShell Enumeration of Claude Code Chat History
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects PowerShell scripts enumerating or reading files within the Claude Code conversation history directory. Claude Code stores conversation history as JSONL files under: %USERPROFILE%\.claude\projects\<hash>\<session>.jsonl Threat actors extract these files and apply regex matching to locate high-value secrets (cloud tokens, private keys, database passwords) before pivoting to infrastructure such as ESXi hosts via harvested SSH credentials.
Reference
https://www.linkedin.com/posts/mauricefielenbach_threatintel-dfir-cybersecurity-share-7468712997298016256-Rs6h/
Date
2026-06-11 00:00:00
Modified
None
Id
e78683a0-1fb7-44cc-94b5-58bbf36d6da9
Tags
attack.credential-access attack.t1552.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022