A collection of cybersecurity content.

PowerShell History: Examining the ConsoleHost_History.txt File

Did you know that Windows OS stores a history of its PowerShell console commands in a file on the hard drive?

Intro

The ConsoleHost_history.txt file is a log file for Windows PowerShell that records all the commands executed in the console which is updated every time a command is executed. This file provides a list of command history, allowing users to recall and re-execute previous commands. It serves as a useful reference to both blue and red teams and is located at C:\Users\<user>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt.

Blue Team

The ConsoleHost_history.txt file is a valuable tool for blue teams, as it provides a record of all the commands executed in the PowerShell console on a system. This information can be used to help identify suspicious activity, to understand the actions that have been taken on a system, and to detect and mitigate security threats.

For example, if a blue team suspects that a system has been compromised, they can review the contents of the ConsoleHost_history.txt file to determine if any suspicious commands were executed in the PowerShell console. This information can help the team to understand the scope of the compromise, the methods used by the attacker, and the potential impact of the attack on the system and the network. The blue team can also use the information contained in the ConsoleHost_history.txt file to identify any configuration changes that were made to the system, or to track the deployment of security tools and other security-related activities.

The ConsoleHost_history.txt file is very limited and only records commands executed in the PowerShell console.

However, it is important to note that the ConsoleHost_history.txt file does not record PowerShell commands outside the console. This means that it is possible for malicious activity to go unnoticed if it is executed in memory rather than through the console. As a result, it should not be relied upon as the sole source of PowerShell command information for incident response or forensic investigations. Instead, script-block logging should be used to provide a record of PowerShell activity on a system.

If an attacker uses PowerShell to execute code that injects into another process, and the injection involves a PowerShell script block, the injected code and any parameters that are passed to it will be logged in the script block log. However, if the process injection is performed by a method that does not involve a PowerShell script block, such as through a binary executable, then it is unlikely that script block logging will capture this activity.

Red Team

The ConsoleHost_history.txt file is a plain text file that can be easily accessed and read by unauthorized parties. This means that sensitive information, such as commands and tools executed on a system, as well as any data entered into the PowerShell console, could be potentially exposed. It is crucial to consider the security implications of this information being recorded in the file as it can give adversaries more information on how to better proceed with their mission and blend in with normal operations.

For instance, if a password is used during the creation of an account using a command like ‘net use /add‘, it could be recorded in the output file, revealing information such as account naming conventions, password patterns, and, potentially, even compromising the new account if proper security measures are not in place. Perhaps there is mention of commonly used software that might prove useful to use? Plink? Visual Studio? Any tool that helps you “live off the land” means less chance of detection.

Script

The following script will create a directory at C:\temp\PowerShellHistory to store all ConsoleHost_history.txt files of each user on the host. In order to differentiate between each user’s ConsoleHost_history.txt file, the username is prepended to each file in the new copy in C:\temp\PowerShell.

# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.

# Get all the user directories in the C:\Users directory
$users = Get-ChildItem C:\Users

# Iterate through each user directory
foreach ($user in $users)
{
    # Check if the current item in the loop is a user directory
    if ($user.PSIsContainer)
    {
        # Construct the path to the ConsoleHost_history.txt file for the current user
        $historyFile = "$($user.FullName)\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt"
        
        # Check if the ConsoleHost_history.txt file exists for the current user
        if (Test-Path $historyFile)
        {
            # Set the output directory where the output files will be saved
            $outputDir = "C:\temp\PowerShellHistory"
            
            # Check if the output directory exists. If not, create it.
            if (!(Test-Path $outputDir))
            {
                New-Item -ItemType Directory -Path $outputDir
            }
            
            # Set the output file name for the current user
            $outputFile = "$outputDir\$($user.Name)_consoleHost_History.txt"
            
            # Extract the content of the ConsoleHost_history.txt file for the current user and save it to the output file
            Get-Content $historyFile | Out-File $outputFile
        }
    }
}
Conclusion

The ConsoleHost_history.txt file is a plain text file that records the activities performed in PowerShell console sessions. It is not encrypted and can be easily accessed by unauthorized parties. The file can also be a valuable resource for security professionals, providing valuable insights into system activities and potential security risks. It is a useful tool for the savvier users of PowerShell, but it should not be relied upon as the sole source of information for incident response or forensic investigations and should be used in conjunction with PowerShell script-block logging.