The Powershell ConsoleHost_history file
Windows Powershell has become a beast of a command prompt tool that has become more and more useful for configuration, automation, forensics, penetration testing, etc.It was first introduced on November 14, 2006 with the wonderful Windows 7 OS version.
There are some very nice commands that can be ran with powershell that will return some potentially valuable forensic information.
Such as:
PS C:\>
Get-Process --returns
System Processes
|
PS C:\>
Get-NetTCPConnection –State Established
--returns Network information
|
PS C:\>
Get-ADUser --returns
information about a User
|
I will cover Powershell and useful commands more in depth in future posts.
For this post I want to point out a potentially valuable text file located at:
"%APPDATA%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt"
View this text file to see a history of Powershell commands executed from the console.
 |
| Above is the contents of the ConsoleHost_history.txt file |
This text file mentioned above, along with Powershell logs, can be used as a way to give insight into what powershell commands were ran on a box. And potentially by which user with what commands where ran or attempted to be ran from the console.
--Bryan
No comments:
Post a Comment