-
Notifications
You must be signed in to change notification settings - Fork 188
/
PowerShellConsole.tkape
28 lines (27 loc) · 1.25 KB
/
PowerShellConsole.tkape
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Description: PowerShell Console Log File
Author: Mike Cary, 2thewes
Version: 1.2
Id: efa4332a-89eb-430c-ab61-006a9e6620d7
RecreateDirectories: true
Targets:
-
Name: PowerShell Console Log
Category: PowerShellConsoleLog
Path: C:\Users\%user%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\
FileMask: '*_history.txt'
-
Name: PowerShell Console Log Systemprofile
Category: PowerShellConsoleLog
Path: C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\
FileMask: '*_history.txt'
-
Name: PowerShell Console Log WOW64 Systemprofile
Category: PowerShellConsoleLog
Path: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\
FileMask: '*_history.txt'
# Documentation
# https://community.sophos.com/malware/b/blog/posts/powershell-command-history-forensics
# https://darizotas.blogspot.com/2018/10/forensics-powershell-artifacts.html
# https://digital-forensics.sans.org/media/DFPS_FOR508_v4.4_1-19.pdf
# https://www.forensafe.com/blogs/powershell.html
# https://learn.microsoft.com/en-us/powershell/module/psreadline/about/about_psreadline?view=powershell-7.3#command-history