Hello everyone, A little over a week ago, we discussed about how we can leverage the saved state of deleted file left in the recycle bin and grab it for content in a data exfiltration scenario. You can read more [...]
Hello everyone, we are all aware about Linux systems, its .bash_history and how it provides information about file locations, passwords passed in command arguments, a variety of scripts and so on.
But did you know, something similar to it now also exists in PowerShell? That’s precisely what I will be sharing about in today’s blog post, everything to know about PowerShell’s history file.
The PSReadLine module became the default command line experience for PowerShell v3 and above. It provides a bunch of features, you can read more about module here.
See the red box in the above image, that’s what we’re looking for! PowerShell v3 and over now included a history file which saves all executed commands.
For PowerShell v5 on Windows 10, the default option saves history to a file.
First things first, the name of the file is ConsoleHost_history.txt and the default location is at:
$env:APPDATA can also be written as C:\Users\username\AppData\Roaming if your environment variables don’t work (sometimes the case in reverse shells).
Moving onto some other interesting properties of PSReadLine, we can read all the propterties using the Get-PSReadLinOption
You can also modify these settings and everything else using the Set-PSReadLineOption cmdlet.
A Sample Output of the Get-PSReadLineOption Command:
Everything I type into a PowerShell terminal gets logged in the history file:
However, anything executed using a “Terminal-less” PowerShell session won’t get logged into the file. A terminal-less PowerShell session would be created in case of remote code executions where a attacker may move from cmd.exe to powershell.exe.
From a Red Teamer’s perspective. things similar to what you would find in a Linux .bash_history
That’s all for this post.
Thanks for Reading!
Written by: acc3ssp0int
Today we start with a new series of blog posts, namely, active directory components. In this three part series on Kerberos, we’ll be talking about it’s three heads: Part 1: What Kerberos is and how it works? Part 2: The notorious techniques of kerberoasting and ticketing attacks (golden and silver tickets) Part 3: Attempting to ...
Before we travel through the Secure code review in SDLC phase. Let us first understand what is Secure Coding, why it should be the part of early phase of SDLC, importance and best practices, available tools. Security Code Review: A secure code review is a part of the code review process to identify missing best ...