login-securite / DonPAPI

Dumping DPAPI credz remotely
GNU General Public License v3.0
983 stars 113 forks source link

Add PowerShell history looting #80

Closed Dfte closed 1 week ago

Dfte commented 1 week ago

This PR adds a new collector to dump PowerShell history files:

image

I added this piece of code which is kinda hackish but I feel like it's important to have these kind of collectors saving all files they found in order to easily grep for specific keywords:

# Stores files in loot\PowerShellHistory
os.makedirs(f"{self.context.output_dir}/../PowerShellHistory", exist_ok=True)
local_filepath = os.path.join(
    f"{self.context.output_dir}/../PowerShellHistory", 
    f"{item.get_longname()}-{self.found}"
)
with open(local_filepath, "wb") as f:
    if file_content is None:
        file_content = b""
    f.write(file_content)

Which gives the following loot dir:

image

Hope you don't mind :P (otherwise I can work on adding the loot dir as another parameter so that I can store results properly)