Merge pull request #95 from ville87/psconsolehistory

Added parsing of PowerShell console history file

Author: l0ss

Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Code/PowerShell/KeepPsByName.toml

@@ -0,0 +1,17 @@
+[[ClassifierRules]]
+EnumerationScope = "FileEnumeration"
+RuleName = "KeepPSHistoryByName"
+MatchAction = "Relay"
+RelayTargets = ["KeepPsCredentials",
+"KeepCmdCredentials",
+"KeepAwsKeysInCode",
+"KeepInlinePrivateKey",
+"KeepPassOrKeyInCode",  "KeepSlackTokensInCode",
+"KeepSqlAccountCreation",
+"KeepDbConnStringPw"]
+Description = "Files with these exact names will be searched for PowerShell related strings."
+MatchLocation = "FileName"
+WordListType = "Exact"
+MatchLength = 0
+WordList = ["ConsoleHost_history\\.txt"]
+Triage = "Green"

Snaffler/SnaffRules/DefaultRules/PathRules/Discard/DiscardWinSystemDirs.toml

@@ -21,7 +21,8 @@ WordList = ["\\\\winsxs",
 "\\\\sources\\\\sxs",
 "\\\\localization",
 "\\\\AppData\\\\Local\\\\Microsoft",
-"\\\\AppData\\\\Roaming\\\\Microsoft",
+"\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows",
+"\\\\AppData\\\\Roaming\\\\Microsoft\\\\Teams",
 "\\\\wsuscontent",
 "\\\\Application Data\\\\Microsoft\\\\CLR Security Config",
 "\\\\servicing\\\\LCU"]