While writing my C2, I found a trick to avoid saving your commands entered during the PowerShell session in the PSReadLine file.

By default, the PowerShell in Windows 10 saves the last 4096 commands.

File located in: %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

So, let’s execute our simple code.

while ($true) {$cmdInput = Read-Host -Prompt 'PS> '; Invoke-Expression -Command $cmdInput}

After executing the code, now we can invoke some commands without logging in “ConsoleHost_history.txt”.

PoC

As shown in the picture below, the commands circled in red are only recorded in the PSReadline file.

What Happened

After going back to Microsoft documentation, we will find the answer.

It's about "Order of Commands"

Commands are added to the history when the command finishes executing, not when the command is entered.

Our code, executes commands without being recorded in the history file, because the while loop does not end and count as one command. What happens inside the loop is not recorded.

Closing Note

All commands that have been executed will be recorded in the Event Viewer.