From b1292579d2c741b62b2dfc823b05f701ca64f36c Mon Sep 17 00:00:00 2001
From: skandler <133157403+skandler@users.noreply.github.com>
Date: Thu, 4 Jul 2024 19:05:04 +0200
Subject: [PATCH] Update T1552.yaml (#2829)

added an atomic which searches for password strings in powershell history file

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1552/T1552.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/atomics/T1552/T1552.yaml b/atomics/T1552/T1552.yaml
index 60894e87..07a81843 100644
--- a/atomics/T1552/T1552.yaml
+++ b/atomics/T1552/T1552.yaml
@@ -55,3 +55,14 @@ atomic_tests:
       rm -rf stratus*
     name: sh
     elevation_required: false
+- name: Search for Passwords in Powershell History
+  description: |
+    Find passwords in the powershell history files
+    Searching for following strings: "password", "-p", "key", "pwd", "pass"
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      ls -R C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt | Select-String "password", "-p", "key", "pwd", "pass"
+    name: powershell
+    elevation_required: true