Monday, April 22, 2019

See Recent Typed Powershell Commands

The Powershell ConsoleHost_history file

Windows Powershell has become a beast of a command prompt tool that has become more and more useful for configuration, automation, forensics, penetration testing, etc.

It was first introduced on November 14, 2006 with the wonderful Windows 7 OS version.

There are some very nice commands that can be ran with powershell that will return some potentially valuable forensic information.
Such as:
PS C:\> Get-Process   --returns System Processes
PS C:\> Get-NetTCPConnection –State Established    --returns Network information
PS C:\> Get-ADUser     --returns information about a User

I will cover Powershell and useful commands more in depth in future posts.

For this post I want to point out a potentially valuable text file located at:

 "%APPDATA%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt"




View this text file to see a history of Powershell commands executed from the console.

Above is the contents of the ConsoleHost_history.txt file

This text file mentioned above, along with Powershell logs, can be used as a way to give insight into what powershell commands were ran on a box.  And potentially by which user with what commands where ran or attempted to be ran from the console.

--Bryan









No comments:

Post a Comment