Overview
The LogonSessions command enumerates active Windows logon sessions on the system. This reveals who is currently logged on, their logon type, authentication package used, and session details - critical information for understanding current user activity and potential token theft targets.Syntax
Remote Execution
Output
Returns logon session information:- Username and domain
- Logon ID (LUID)
- Logon type (Interactive, Network, Batch, Service, etc.)
- Authentication package (NTLM, Kerberos, Negotiate)
- Logon time
- Logon server
- DNS domain name
- User SID
Use Cases
- Red Team
- Blue Team
- Identify high-value targets for token theft
- Find interactive admin sessions
- Discover service account logons
- Plan token impersonation attacks
- Identify lateral movement opportunities
- Locate cached credentials
Example Output
Remote Execution
This command supports remote execution using the
-computername parameter.Detection Considerations
- API Calls: Uses LsaEnumerateLogonSessions and LsaGetLogonSessionData
- Privilege Required: May require elevated privileges
- WMI Activity: Remote execution generates WMI events
- EDR Telemetry: Often flagged by security products
Related Commands
- LocalUsers - Local user accounts
- LocalGroups - Local group membership
- TokenPrivileges - Token privileges
- Processes - Running processes