[LOGONSESSIONS]
Analyze active logon sessions for incident response, unauthorized access detection, and user activity monitoring
Difficulty: Intermediate
Category: Security
Key Features
Session Enumeration
List all active logon sessions on the system
Logon Time Tracking
Show when each session was established
Session Details
Authentication package and logon type information
Process Association
Link sessions to running processes and services
Basic Usage
Session Analysis
# List all logon sessions
logonsessions
# Show detailed information
logonsessions -v
# List processes for each session
logonsessions -p
Targeted Analysis
# Filter by specific user
logonsessions | findstr "username"
# Show only interactive sessions
logonsessions | findstr "Interactive"
# Export to file for analysis
logonsessions -v > sessions.txt
Understanding Logon Types
| Type | Description | Common Sources | Risk Level |
|---|---|---|---|
| Interactive (2) | Local console logon | Keyboard/mouse access | Normal |
| Network (3) | Network resource access | File shares, printers | Monitor |
| Service (5) | Service account logon | Windows services | Normal |
| RemoteInteractive (10) | RDP/Terminal Services | Remote Desktop | High |
| NetworkCleartext (8) | Cleartext password over network | IIS Basic Auth, FTP | Critical |
| NewCredentials (9) | RunAs with alternate credentials | runas command | Monitor |
Security Use Cases
🚨 Incident Response
Identify unauthorized logon sessions during security incidents.
# Check active sessions
logonsessions -p
🕵️ Forensic Analysis
Analyze user activity timelines and session patterns.
# Get session details
logonsessions -v > evidence.txt
🔐 Access Monitoring
Monitor for suspicious logon patterns and unauthorized access.
# Monitor RDP sessions
logonsessions | findstr "RemoteInteractive"
🔧 System Administration
Track service accounts and administrative sessions.
# Check service sessions
logonsessions | findstr "Service"
Analysis Techniques
Session Investigation
- Timeline Analysis: Correlate logon times with suspicious activity
- Session Duration: Identify abnormally long-running sessions
- Process Mapping: Link suspicious processes to specific sessions
- Authentication Packages: Identify unusual authentication methods
Red Flags to Look For
- Off-hours Access: Sessions outside normal business hours
- Multiple Concurrent Sessions: Same user logged on multiple times
- Unusual Logon Types: Unexpected NetworkCleartext or NewCredentials
- Service Account Interactive: Service accounts with interactive sessions
- Unknown Users: Sessions for unrecognized user accounts
PowerShell Integration
Enhanced Analysis
# Get current user sessions
quser
query user
# PowerShell session analysis
Get-WmiObject -Class Win32_LogonSession | Select LogonId,StartTime,LogonType
# Combine with logonsessions output
logonsessions -v | Select-String "RemoteInteractive\|NetworkCleartext"
Best Practices & Tips
Run with administrative privileges: Administrator rights required for complete session visibility
Focus on unusual logon types: Pay special attention to NetworkCleartext and RemoteInteractive
Correlate with event logs: Cross-reference with Windows Security event logs (4624, 4625)
Monitor service accounts: Service accounts should not have interactive or RDP sessions
Document baseline behavior: Understand normal session patterns to identify anomalies