Update T1552.yaml (#2829)

added an atomic which searches for password strings in powershell history file Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2024-07-04 19:05:04 +02:00
parent 3fd025b45c
commit b1292579d2
1 changed files with 11 additions and 0 deletions
@@ -55,3 +55,14 @@ atomic_tests:
      rm -rf stratus*
    name: sh
    elevation_required: false
+- name: Search for Passwords in Powershell History
+  description: |
+    Find passwords in the powershell history files
+    Searching for following strings: "password", "-p", "key", "pwd", "pass"
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      ls -R C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt | Select-String "password", "-p", "key", "pwd", "pass"
+    name: powershell
+    elevation_required: true