From ddaf4985752fa7515c4fff3d32913552d74f039a Mon Sep 17 00:00:00 2001
From: Burak Karaduman <36070747+krdmnbrk@users.noreply.github.com>
Date: Wed, 11 Dec 2024 02:05:24 +0300
Subject: [PATCH] New Atomic - Clear PowerShell Session History (#3011)

Co-authored-by: Hare Sudhan <code@0x6c.dev>
---
 atomics/T1070.003/T1070.003.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/atomics/T1070.003/T1070.003.yaml b/atomics/T1070.003/T1070.003.yaml
index a2d461dbd7..d9588cfd40 100644
--- a/atomics/T1070.003/T1070.003.yaml
+++ b/atomics/T1070.003/T1070.003.yaml
@@ -193,3 +193,15 @@ atomic_tests:
     cleanup_command: |
       Set-PSReadLineOption -AddToHistoryHandler $null
     name: powershell
+- name: Clear PowerShell Session History
+  description: |
+    This technique involves using the Clear-History cmdlet in PowerShell to remove all records of previously executed commands.
+    This action is often performed by attackers to eliminate traces of their activities, making incident detection and forensic 
+    investigation more challenging. By clearing the session history, adversaries aim to obfuscate their operational footprint.
+  supported_platforms:
+    - windows
+  executor:
+    command: |
+      Clear-History
+    name: powershell
+    elevation_required: false