General
PowerShell is a command-line shell and scripting language that is built into Windows. It allows users to automate tasks, manage systems, and perform a wide range of other functions.
PowerShell history refers to the commands that have been typed into the PowerShell console or run from a script. These commands are stored in a history file, which is located in the user's profile directory. By default, the history file is not encrypted, which means that anyone with access to the file can view the commands that have been typed into the PowerShell console.
PowerShell history can be exploited in several ways:
-
Revealing sensitive information: An attacker who has access to the PowerShell history file could potentially view sensitive information that has been typed into the console, such as passwords or other confidential data.
-
Executing malicious commands: An attacker who has access to the PowerShell history file could potentially execute malicious commands that have been typed into the console, potentially allowing the attacker to gain unauthorized access to the system or perform other malicious actions.
-
Tampering with the history file: An attacker could modify the PowerShell history file to add or remove commands, potentially allowing the attacker to cover their tracks or to plant malicious commands that may be executed at a later time.
Commands
Whenever a user runs a command using Powershell, it gets stored into a file that keeps a memory of past commands. This is useful for repeating commands you have used before quickly. If a user runs a command that includes a password directly as part of the Powershell command line, it can later be retrieved by using the following command from a cmd.exe
 prompt:
%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Note: The command above will only work from cmd.exe, as Powershell won't recognize %userprofile%
 as an environment variable. To read the file from Powershell, you'd have to replace %userprofile%
 with $Env:userprofile
.Â