This artifact hunts for Powershell ISE autosave files and extracts ISE user config.
Powershell ISE generates auto-save files for if the editor crashes.
user.config holds ISE session metadata including a MRU for the relevant user.
name: Windows.System.Powershell.ISEAutoSave
description: |
This artifact hunts for Powershell ISE autosave files and extracts ISE user
config.
Powershell ISE generates auto-save files for if the editor crashes.
user.config holds ISE session metadata including a MRU for the relevant user.
type: CLIENT
parameters:
- name: AutoSaveFiles
default: C:\Users\*\AppData\*\Microsoft_Corporation\Powershell_ISE.exe*\*\AutoSaveFiles\*.ps1
description: ISE Autosave file glob
- name: UserConfig
default: C:\Users\*\AppData\*\Microsoft_Corporation\Powershell_ISE.exe*\*\user.config
description: ISE user config file glob
- name: ContentRegex
default: .
description: Content regex to hunt for in ISEAutoSave files
- name: ContentWhitelist
default:
description: Content whitelist to exclude from results in ISEAutoSave files
sources:
- precondition: SELECT OS From info() where OS = 'windows'
query: |
LET files = SELECT OSPath, Size, Mtime, Btime, Ctime, Atime
FROM glob(globs=AutoSaveFiles)
SELECT
OSPath, Size, Mtime, Btime, Ctime, Atime,
read_file(filename=OSPath) as Content
FROM foreach(row=files)
WHERE Content =~ ContentRegex
AND NOT if(condition=ContentWhitelist,
then= Content =~ ContentWhitelist,
else= False )
- name: UserConfig
query: |
LET files = SELECT OSPath, Size, Mtime, Btime, Ctime, Atime
FROM glob(globs=UserConfig)
SELECT
OSPath, Size, Mtime, Btime, Ctime, Atime,
parse_xml(file=Data,accessor='data').configuration.userSettings.UserSettings.setting[5].value.ArrayOfString.string as MRU,
parse_xml(file=Data,accessor='data').configuration as Configuration,
Data as RawXml
FROM foreach(row=files, query={
SELECT *, OSPath, Size, Mtime, Btime, Ctime, Atime
FROM read_file(filenames=OSPath)
WHERE OSPath =~ 'user.config$'
})