Hello everyone, A little over a week ago, we discussed about how we can leverage the saved state of deleted file left in the recycle bin and grab it for content in a data exfiltration scenario. You can read more [...]
Hello everyone, we are all aware about Linux systems, its .bash_history and how it provides information about file locations, passwords passed in command arguments, a variety of scripts and so on.
But did you know, something similar to it now also exists in PowerShell? That’s precisely what I will be sharing about in today’s blog post, everything to know about PowerShell’s history file.
The PSReadLine module became the default command line experience for PowerShell v3 and above. It provides a bunch of features, you can read more about module here.
See the red box in the above image, that’s what we’re looking for! PowerShell v3 and over now included a history file which saves all executed commands.
For PowerShell v5 on Windows 10, the default option saves history to a file.
First things first, the name of the file is ConsoleHost_history.txt and the default location is at:
$env:APPDATA can also be written as C:\Users\username\AppData\Roaming if your environment variables don’t work (sometimes the case in reverse shells).
Moving onto some other interesting properties of PSReadLine, we can read all the propterties using the Get-PSReadLinOption
You can also modify these settings and everything else using the Set-PSReadLineOption cmdlet.
A Sample Output of the Get-PSReadLineOption Command:
Everything I type into a PowerShell terminal gets logged in the history file:
However, anything executed using a “Terminal-less” PowerShell session won’t get logged into the file. A terminal-less PowerShell session would be created in case of remote code executions where a attacker may move from cmd.exe to powershell.exe.
From a Red Teamer’s perspective. things similar to what you would find in a Linux .bash_history
That’s all for this post.
Thanks for Reading!
Written by: acc3ssp0int
Before we travel through the Secure code review in SDLC phase. Let us first understand what is Secure Coding, why it should be the part of early phase of SDLC, importance and best practices, available tools. Security Code Review: A secure code review is a part of the code review process to identify missing best ...
Hello everyone, in this final installation of the OAuth blog series, we’ll be covering two vulnerabilities in the OAuth implementation. If you haven’t checked out the previous parts you can check out part one here and part two here. Before we get started, a big thanks to PortSwigger and their Web Security Academy Labs! The ...
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.