Skip to content

An Incident Response tool to extract console command history and screen output buffer

License

Notifications You must be signed in to change notification settings

lteich/GetConsoleHistoryAndOutput

 
 

Repository files navigation

GetConsoleHistoryAndOutput

GetConsoleHistoryAndOutput is designed to be used as part of "Live Response" forensic investigations.

The ability to retrieve command history and console output buffer of suspicious processes could enable IR teams to gain visibility into attackers actions on a victim's system.

The GetConsoleHistoryAndOutput receives a PID of a console process and retrieves the console command history and screen output buffer.

Additional reading material on the tool, can be found in our blog Windows Console Command History: Valuable Evidence for Live Response Investigation.

How to use

Usage: GetConsoleHistoryAndOutput.exe pid_of_console_process outputfile_path

Examples

The PID of the following console is 6364 alt tag
Running:

GetConsoleHistoryAndOutput.exe 6364 output.txt

Will result with the following data at output.txt:

### Display Output of PID: 6364###

## Process' Command History ##
H0: net group "domain admins" /domain

## Console Output Buffer ##
L0: Microsoft Windows [Version 6.1.7601]                                                                                    
L1: Copyright (c) 2009 Microsoft Corporation.  All rights reserved.                                                         
L3: C:\Users\lex>net group "domain admins" /domain                                                                          
L4: The request will be processed at a domain controller for domain DCOMIC.LOCAL.                                           
L6: Group name     Domain Admins                                                                                            
L7: Comment        Designated administrators of the domain                                                                  
L9: Members                                                                                                                 
L11: -------------------------------------------------------------------------------                                         
L12: Administrator            aquaman                  captaina                                                              
L13: lex                                                                                                                     
L14: The command completed successfully.                                                                                     
L17: C:\Users\lex>                                                  
                                                         
###        Output End         ###

Authors

  • Tom Sela - @4x6hw
  • Liav Teichner

License

This project is licensed under the BSD 3-clause license - see the LICENSE file for details

Contributors

Illusive Networks Research & Dev team members:

  • Tomer Shamul
  • Tom Kahana
  • Dolev Ben Shushan
  • Hadar Yudovich

About

An Incident Response tool to extract console command history and screen output buffer

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C++ 100.0%