Check-LocalAdminHash & Exfiltrating All PowerShell History
Summary
This article introduces a new PowerShell script called Check-LocalAdminHash. This script can verify a password hash against multiple hosts to confirm if it is a valid administrative credential. It also offers functionalities for exfiltrating PowerShell history.
IFF Assessment
FOE
The script's ability to check password hashes and exfiltrate PowerShell history poses a direct threat to defenders by enabling easier lateral movement and credential abuse by attackers.
Defender Context
Defenders should be aware of techniques that can automate credential checking and the exfiltration of PowerShell history. Implementing robust logging, monitoring for unusual PowerShell activity, and enforcing strong credential management practices are crucial to mitigate these risks.