Full Report
Carrie Roberts // PowerShell incorporates the handy feature of writing commands executed to a file to make them easy to refer back to later. This functionality is provided by the […] The post New PowerShell History Defense Evasion Technique appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: PSReadline Module History Manipulation
## Overview
The PowerShell `PSReadline` module includes a feature to automatically skip writing commands containing specific sensitive keywords (like 'Password', 'Token', 'Apikey', etc.) to the command history file. While intended as a usability and security enhancement for sensitive input, this functionality can be leveraged by attackers as an easy **Defense Evasion** technique to hide executed malicious commands from forensic analysis of the history file.
## Technical Details
- Type: Technique (Leveraging a built-in feature/module)
- Platform: Windows (Specifically Windows PowerShell 5.1 and PowerShell 7+)
- Capabilities: Automatic scrubbing of history for pre-defined sensitive terms; User-defined control over history logging via `AddToHistoryHandler`.
- First Seen: N/A (Relates to PSReadline versions 2.0.4+ and PowerShell 7.0.11+ functionality, with the security implication discussed in late 2022).
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1070 - Indicator Removal
- T1070.006 - Indicator Removal: File Deletion (Relevant if history file is deleted)
- T1070.004 - Indicator Removal: File Deletion (Relevant when using functions to ignore/remove history entries)
## Functionality
### Core Capabilities
* **Sensitive Word Filtering:** PSReadline versions v2.0.4+ automatically skip logging commands containing strings like `Password`, `Asplaintext`, `Token`, or `Apikey`.
* **Comment Evasion:** Attackers can intentionally include one of these sensitive keywords within a comment (`#`) of a malicious command to prevent the entire command line from being recorded in the history file.
### Advanced Features
* **Custom History Handler:** An attacker can completely redefine the history logging logic for the current session using `Set-PSReadLineOption -AddToHistoryHandler { return $false }`, effectively disabling history saving entirely for that session.
* **History Path Modification:** Changing the output path of the history file using `-HistorySavePath` to a temporary or obscure location.
* **History Saving Style Override:** Using `-HistorySaveStyle SaveNothing` to stop logging.
## Indicators of Compromise
- File Hashes: N/A (Focus is on built-in functionality behavior)
- File Names: `ConsoleHost_history.txt` (Default history file location/name)
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators:
* Execution of cmdlets modifying `PSReadLineOption` settings (e.g., `Set-PSReadLineOption`).
* Use of comments containing keywords like `Password` or `Token` adjacent to suspicious PowerShell commands.
* Abrupt cessation of entries in the PowerShell history file.
## Associated Threat Actors
- General Adversaries/Red Teamers (Described as a trick the author would use on a red teaming engagement).
## Detection Methods
- Signature-based detection: No common signatures for the underlying feature, but signatures could be written for specific malicious command usage alongside history manipulation.
- Behavioral detection: Monitoring for modifications to `PSReadLineOption` parameters, especially setting `-AddToHistoryHandler` or `-HistorySaveStyle`.
- YARA rules if available: N/A
## Mitigation Strategies
- **System Hardening:** Ensure Windows PowerShell 5.1 is updated to a version that includes newer PSReadline versions supporting sensitive scrubbing, or manually update the module.
- **Process Monitoring:** Audit PowerShell processes for the execution of `Set-PSReadLineOption` cmdlets that alter history behavior.
- **Logging Enhancement:** Implement robust logging outside of the default PowerShell history file mechanism (e.g., PowerShell transcript logging, Script Block Logging) that captures execution **before** history modules can modify it.
- **Language Mode:** Utilizing ConstrainedLanguage mode (`$ExecutionContext.SessionState.LanguageMode = “ConstrainedLanguage”`) limits available features and may impact history manipulation capabilities.
## Related Tools/Techniques
- PowerShell Script Block Logging (A superior, more robust logging technique).
- Just Enough Administration (JEA) (Mentioned in context of general PowerShell hardening).