Amnesiac
  • Welcome
  • Intended Usage
  • Get-Started
    • Quick Start
  • Main Menu
    • Available Commands
    • Main Menu Structure
    • [0] Scan Network for Admin Access
    • [1] Single-Listener (single target)
    • [2] Global-Listener (multiple targets)
    • [3] Scan Network for Listening Targets
    • Bookmarks
    • Payload Types
    • Payload Delivery
    • Serving Scripts
    • Sessions Display
    • Targets
    • Terminate Sessions
  • Sessions
    • Core Commands
      • Download
      • Exit
      • GListener
      • GLSet
      • Help
      • Kill
      • OneIsNone
      • Scramble
      • Sync
      • Toggle
      • Upload
    • System Commands
      • AV
      • Net
      • Process
      • Services
      • Sessions
      • Software
      • Startup
    • User Activity
      • ClearLogs
      • Clipboard
      • History and ClearHistory
      • Keylog and KeylogRead
      • ScreenShot and Screen4K
    • Scripts Loading
      • Mimi
      • Patch and PatchNet
      • PInject
      • PowerView
      • Rubeus
      • TLS
    • Local Actions
      • Ask4Creds
      • AutoMimi
      • CredMan
      • Dpapi
      • GetSystem
      • HashGrab
      • Hive
      • Kerb
      • Migrate
      • Monitor
    • Domain Actions
      • DCSync
      • CredValidate
      • Impersonation
      • LocalAdminAccess
      • PassSpray
      • Remoting
      • SessionHunter
  • Beware
    • Encryption
    • Non-Domain-Joined systems
    • SessionID 0
    • Timeouts
Powered by GitBook
On this page
  1. Sessions
  2. User Activity

History and ClearHistory

Get or Clear PowerShell History

The History command is designed to retrieve PowerShell history from the target system. This command is particularly valuable for uncovering historical commands and activities executed on the system.

When you execute the History command, it will attempt to retrieve the PowerShell history for all users on the target system. However, the success of this action depends on your user privileges.

If you are running the Amnesiac session as a Local Administrator or NT Authority\System, you are more likely to obtain the history of all users. Conversely, if you are running as a standard user, you will only be able to retrieve the history for the user currently running the Amnesiac session.

Please note that the retrieved history is not displayed on screen due to potential length. Instead, the history is saved within the "C:\Users\Public\Documents\Amnesiac\History" folder for later reference and analysis.

The ClearHistory command allows you to clear all PowerShell history entries on the target system. This action can be useful for removing your traces of past activities and commands.

To clear the PowerShell history, type ClearHistory in the Amnesiac console and execute the command. Be cautious when using this command, as it cannot be undone.

Last updated 1 year ago