0x41p · OSCP Training Log

Windows Local Enumeration — PowerShell Artifacts & Automated Tooling

Theme of the day: Windows local enumeration & privilege escalation via PowerShell logging artifacts and automated enumeration tooling.

> Methodology notes only — generic examples and placeholder names throughout. No specific target, account, or exercise details.

1. Script Block Logging via Event Viewer

When PowerShell Script Block Logging is enabled, it records the full text of executed script blocks — including any literal passwords or credentials that were typed.

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" |
  Where-Object { $_.Id -eq 4104 -and $_.Message -match "pass" } |
  Format-List TimeCreated, Message

Key takeaway: Defensive logging is an offensive goldmine. Script Block Logging records the original (decoded) representation of commands — even obfuscated/encoded ones.

2. PowerShell history & transcript hunting

Three artifact sources, fast → slow:

  1. Get-History — PowerShell's own session history. Usually empty. Clear-History wipes this.
  2. PSReadline history file — THE reliable one. Clear-History does not touch it.
(Get-PSReadlineOption).HistorySavePath
type $((Get-PSReadlineOption).HistorySavePath)

Path: C:\Users\<user>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt Also check other users' profiles, not just your own.

  1. Transcript files ("over-the-shoulder" logging) — often in C:\Users\Public\Transcripts\ or a user home / network share. Frequently contains the plaintext password that the history only showed as a SecureString variable.

Key takeaway: Admins run Clear-History thinking they wiped everything — but PSReadline's ConsoleHost_history.txt survives. This is where the trail almost always starts. Never skip it.

A recovered password (e.g. a Set-Secret entry, or a ConvertTo-SecureString + New-Object PSCredential pair in a transcript) should be tried against every user/service — password reuse is common. Use evil-winrm -i <ip> -u <user> -p '<pass>' from Kali for a clean WinRM shell (escape ! as \!); a PSSession inside a bind shell behaves unreliably.

3. Automated enumeration: winPEAS

Key takeaway: Automated tools save huge time but lie and miss things — they can mis-identify the OS version and skip artifacts (transcript files, PSReadline history, desktop notes) that manual enumeration finds. Use automation for breadth, but always back it with manual work. Never blindly trust tool output.

4. Automated enumeration: Seatbelt

Operational lessons:

Cross-cutting themes