dissect.target.plugins.apps.shell.powershell

Module Contents

Classes

PowerShellHistoryPlugin

Windows PowerShell history plugin.

Attributes

ConsoleHostHistoryRecord

dissect.target.plugins.apps.shell.powershell.ConsoleHostHistoryRecord

class dissect.target.plugins.apps.shell.powershell.PowerShellHistoryPlugin(target)

Bases: dissect.target.plugin.Plugin

Windows PowerShell history plugin.

PATHS = ['AppData/Roaming/Microsoft/Windows/PowerShell/psreadline', '.local/share/powershell/PSReadLine']

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

powershell_history() → Iterator[ConsoleHostHistoryRecord]

Return PowerShell command history for all users.

The PowerShell ConsoleHost_history.txt file contains information about the commands executed with PowerShell in a terminal. No data is recorded from terminal-less PowerShell sessions. Commands are saved to disk after the process has completed. PSReadLine does not save commands containing ‘password’, ‘asplaintext’, ‘token’, ‘apikey’ or ‘secret’.

References

• https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html

• https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7.3#order-of-commands-in-the-history

• https://learn.microsoft.com/en-us/powershell/module/psreadline/about/about_psreadline?view=powershell-7.3#command-history