The Powershell ConsoleHost_history fileWindows Powershell has become a beast of a command prompt tool that has become more and more useful for configuration, automation, forensics, penetration testing, etc.
It was first introduced on November 14, 2006 with the wonderful Windows 7 OS version.
There are some very nice commands that can be ran with powershell that will return some potentially valuable forensic information.
PS C:\> Get-Process --returns System Processes
PS C:\> Get-NetTCPConnection –State Established --returns Network information
PS C:\> Get-ADUser --returns information about a User
I will cover Powershell and useful commands more in depth in future posts.
For this post I want to point out a potentially valuable text file located at:
View this text file to see a history of Powershell commands executed from the console.
|Above is the contents of the ConsoleHost_history.txt file|
This text file mentioned above, along with Powershell logs, can be used as a way to give insight into what powershell commands were ran on a box. And potentially by which user with what commands where ran or attempted to be ran from the console.