🦳
Abdullah AlZahrani
  • Home
  • Bypassing Windows protection mechanisms
    • HTML Smuggling Against VirusTotal
    • Bypass ASR Rule and Dump LSASS
    • Bypass Windows Defender ATP
    • Bypass AVs via Ordinals
    • From Detected to Undetected
    • Dump LSASS By Custom Code
    • Keep Me In Memory
    • Impacket/PsExec & MyPsExec VS Kaspersky
    • PSReadLine History
Powered by GitBook
On this page
  • PoC
  • What Happened
  • Closing Note

Was this helpful?

  1. Bypassing Windows protection mechanisms

PSReadLine History

The PSReadLine history tracks the commands used in all PowerShell sessions. The history is written to a central file per host. That history file is available to all sessions and contains all past hist

Last updated 3 years ago

Was this helpful?

While writing my C2, I found a trick to avoid saving your commands entered during the PowerShell session in the PSReadLine file.

By default, the PowerShell in Windows 10 saves the last 4096 commands.

File located in: %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

So, let’s execute our simple code.

while ($true) {$cmdInput = Read-Host -Prompt 'PS> '; Invoke-Expression -Command $cmdInput}

After executing the code, now we can invoke some commands without logging in “ConsoleHost_history.txt”.

PoC

As shown in the picture below, the commands circled in red are only recorded in the PSReadline file.

What Happened

After going back to Microsoft documentation, we will find the answer.

It's about "Order of Commands"

Commands are added to the history when the command finishes executing, not when the command is entered.

Our code, executes commands without being recorded in the history file, because the while loop does not end and count as one command. What happens inside the loop is not recorded.

Closing Note

All commands that have been executed will be recorded in the Event Viewer.