Deletion of Terminal History Cache

Rule Info

Name
Deletion of Terminal History Cache
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the deletion of terminal history cache files, which are often targeted by adversaries attempting to erase evidence of their activities. These cache files typically store information such as Remote Desktop Protocol (RDP) connection history, which can be valuable for forensic investigations. By deleting these files, attackers aim to cover their tracks and hinder incident response efforts. This behavior is commonly associated with defense evasion techniques and may indicate malicious activity, especially in environments where such deletions are uncommon.
Reference
https://github.com/lw8192/Red-Team-Rising/blob/90d0b012ceb17369668b5e1c55871d5e08b7c5df/Digital_Forensics/Windows_Forensics.md#rdp-history
Date
2025-05-20 00:00:00
Modified
None
Id
ef594542-e0f4-43bc-bffe-6ad23e2314be
Tags
attack.defense-evasion attack.t1070.007
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022