{
	"id": "fc22d58d-22b8-44f0-be23-205014f62ad9",
	"created_at": "2026-04-06T01:31:10.525811Z",
	"updated_at": "2026-04-10T03:20:49.896381Z",
	"deleted_at": null,
	"sha1_hash": "eeaccc729cac308d6856086924cea292de24fa70",
	"title": "Windows privilege escalation via PowerShell History",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1514272,
	"plain_text": "Windows privilege escalation via PowerShell History\r\nBy Michael Koczwara\r\nPublished: 2022-08-21 · Archived: 2026-04-06 00:48:26 UTC\r\n3 min read\r\nMar 14, 2021\r\nWindows Privilege escalation via Powershell History\r\nPowerShell.exe terminal stores all the PS commands history in a text file. When an administrator has used hard-coded credentials to perform any operation on the regular user i.e student user environment using PowerShell\r\nthen, it would become necessary to clean the PowerShell command history. If an administrator forgets to clean up\r\nthe history, then the admin user has exposed some sensitive information like credentials, configuration settings,\r\netc.\r\nThe default location for the PowerShell command history:\r\n%userprofile%\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt\r\ni.e\r\nC:\\Users\\student\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt\r\nPress enter or click to view image in full size\r\nChecking PowerShell History.\r\nPress enter or click to view image in full size\r\nhttps://michaelkoczwara.medium.com/windows-privilege-escalation-dbb908cce8d4\r\nPage 1 of 6\n\nPowerShell History.\r\nPress enter or click to view image in full size\r\nWe can notice, the ConsoleHost_history.txt file contains all the PS executed commands. We could easily go\r\nthrough it line by line or we can run filters using the Select-String cmdlet. In this case, we will be looking at the\r\nfile manually.\r\nHunting for credentials.\r\nPress enter or click to view image in full size\r\nhttps://michaelkoczwara.medium.com/windows-privilege-escalation-dbb908cce8d4\r\nPage 2 of 6\n\nobtained creds:\r\nadministrator: alita_123321\r\nGet Michael Koczwara’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nLogging as administrator\r\nPress enter or click to view image in full size\r\nSetting up Metasploit in order to gain remote access.\r\nPress enter or click to view image in full size\r\nhttps://michaelkoczwara.medium.com/windows-privilege-escalation-dbb908cce8d4\r\nPage 3 of 6\n\nSetting up hta_server.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\n“This module hosts an HTML Application (HTA) that when opened will run a payload via Powershell.”\r\nExecuting the payload.\r\nhttps://michaelkoczwara.medium.com/windows-privilege-escalation-dbb908cce8d4\r\nPage 4 of 6\n\nPress enter or click to view image in full size\r\nMeterpreter/C2 channel.\r\nPress enter or click to view image in full size\r\nShell access.\r\nPress enter or click to view image in full size\r\nhttps://michaelkoczwara.medium.com/windows-privilege-escalation-dbb908cce8d4\r\nPage 5 of 6\n\nOn Windows hosts, PowerShell has two different command history providers: the built-in history and the\r\ncommand history managed by the PSReadLine module. The built-in history only tracks the commands used in\r\nthe current session. This command history is not available to other sessions and is deleted when the session ends.\r\nThe PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file\r\n( $env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). This history\r\nfile is available to all sessions and contains all past history since the file is not deleted when the session ends.\r\nAdversaries may run the PowerShell command Clear-History to flush the entire command history from a\r\ncurrent PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file.\r\nAdversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide the PowerShell\r\ncommands they have run.\r\nSource: https://michaelkoczwara.medium.com/windows-privilege-escalation-dbb908cce8d4\r\nhttps://michaelkoczwara.medium.com/windows-privilege-escalation-dbb908cce8d4\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://michaelkoczwara.medium.com/windows-privilege-escalation-dbb908cce8d4"
	],
	"report_names": [
		"windows-privilege-escalation-dbb908cce8d4"
	],
	"threat_actors": [],
	"ts_created_at": 1775439070,
	"ts_updated_at": 1775791249,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eeaccc729cac308d6856086924cea292de24fa70.pdf",
		"text": "https://archive.orkl.eu/eeaccc729cac308d6856086924cea292de24fa70.txt",
		"img": "https://archive.orkl.eu/eeaccc729cac308d6856086924cea292de24fa70.jpg"
	}
}