search

last-byte / PersistenceSniper

Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Official Twitter/X account @PersistSniper. Made with ❤️ by @last0x00 and @dottor_morte
Other
1.89k stars 185 forks source link

Powershell console history #16

Open yellow-starburst opened 1 year ago

yellow-starburst commented 1 year ago

Feature request to add a way to output the contents of powershell console history that can show the attackers commands. https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html

yellow-starburst commented 1 year ago

Also - yes, I double checked it’s not an added feature. This request is different than a malicious powershell profile that could be used as persistence. https://attack.mitre.org/techniques/T1546/013/

Yes, This attack is more of a forensics related test, that checks what was commands were run in the past X amount of attempts. I know you dislike adding anything related to forensics; I think this is a really important test to look for what the attacker may have done to actually add the persistence. In other words helps reduce time to figure out the persistence needle in the haystack.

last-byte commented 1 year ago

It's not directly related to finding persistences but I may look into it. The thing is, it's not that I don't like forensics, it's that I think tools should do just one thing and do it in the best way possible. Extending PersistenceSniper in that way is going against this "rule", to me. Nonetheless, it may be useful, so I'll look into how to do it.