[SMB] Powershell history module rework #449
Open
+47
−56
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hey @357384n !
As mentionned in your PR, I love this module. This is going to be pretty useful!
However I believe we can remove the powershell_execute part as it raises an unecessary process creation that can be flagged by an EDR.
To replace it, I manually crawl c:\Users and look for powershell history files.
On a second hand, I don't believe it is a good idea to look for specific key words as you can miss quite a lot of informations. Let's say a user types the "net user Administrateur Defte@WF" command, you won't see it.
As such I left the grep option but still print the entire powershell history, see:
I also removed redundant key strings such as password and passw when you can already grep for "pass".
Finally, and to be honest, I think we should enforce the export to a file option as I believe a lot of people will spray this module and will want to have an export somewhere.
Let me know what you guys think about that :P