You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some of the interesting artifacts (availability may depend on PS version and configurations):
Powershell Command History
%%users.userprofile%%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
PowerShell Transcript: For PowerShell versions 2, 3, 4 & 5
If configured, records transcript of everything entered during a PowerShell session + command output
Default Path: %%users.homedir%%\My Documents\PowerShell_transcript..txt
Script Block logging
Microsoft-WindowsPowerShell%4Operational.evtx
Event number: 4103, 4104
Logs suspicious scripts by default in PS v5
Authenticating User
Microsoft-WindowsPowerShell%4Operational.evtx
53504
Local initiation of powershell
Microsoft-WindowsPowerShell%4Operational.evtx
40961, 40962
The text was updated successfully, but these errors were encountered:
Some of the interesting artifacts (availability may depend on PS version and configurations):
Powershell Command History
%%users.userprofile%%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
PowerShell Transcript: For PowerShell versions 2, 3, 4 & 5
If configured, records transcript of everything entered during a PowerShell session + command output
Default Path: %%users.homedir%%\My Documents\PowerShell_transcript..txt
Script Block logging
Microsoft-WindowsPowerShell%4Operational.evtx
Event number: 4103, 4104
Logs suspicious scripts by default in PS v5
Authenticating User
Microsoft-WindowsPowerShell%4Operational.evtx
53504
Local initiation of powershell
Microsoft-WindowsPowerShell%4Operational.evtx
40961, 40962
The text was updated successfully, but these errors were encountered: