Member-only story
PowerShell History: A Critical Step in Windows Post-Exploitation
Sometimes the easiest step is the one that provides the more “bang for your bucks”. The de-facto enumeration tool (Windows and Linux) is winpeas and linpeas. But always go for the low hanging fruit 1st; PowerShell history can reveal some juicy stuff right of the bat.
During post-exploitation on a Windows box, one of the first things I always check is PowerShell history. Why? Because administrators and users often run sensitive commands — like credentials retrieval, privilege escalation attempts, or system misconfigurations — without realizing they’re leaving behind a trace.
Recently, while enumerating a compromised machine, I attempted to retrieve the PowerShell history, but my first command failed. However, a second approach worked.
This is what I tried 1st, which is suggested on one of HTB Academy modules:
gc (Get-PSReadLineOption).HistorySavePathBut it did not work. It threw me an error:
gc : Cannot find path
'C:\Users\Stacy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ServerRemoteHost_history.txt' because it does
not exist.
At line:1 char:1
+ gc (Get-PSReadLineOption).HistorySavePath
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound…
