Powershell History

Overview

Evidence: Powershell History Description: Collect Powershell History Category: System Platform: Windows Short Name: powershe Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

PowerShell command history provides records of executed PowerShell commands and scripts. This data is essential for understanding system administration activities and detecting malicious PowerShell usage.

Data Collected

This collector gathers structured data about powershell history.

Powershell History Data

Field

Description

Example

ID

Primary key (auto-increment)

Command

PowerShell command

Get-Process

HistoryFile

History file path

C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Timestamp

Command timestamp

2023-10-15 14:30:25

ExecutionTime

Execution time

0.123

ExitCode

Exit code

Collection Method

This collector parses the necessary data from the powershell_history table.

This collector collects files from the following locations:

%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\

Usage

This evidence is crucial for forensic investigations as it provides PowerShell command execution information. It helps investigators understand system administration activities, detect malicious PowerShell usage, and investigate command-based attacks. The data can reveal executed commands, script activities, and potential security incidents. Analysts can use this information to identify command compromises, trace PowerShell activities, and assess Windows security posture.

Notes

This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.

PreviousPowerShell Logs NextPrefetch Files

Last updated 45 minutes ago

Was this helpful?