Better know a data source: Logon sessions

What are logon sessions?

lkd> dt -b nt!_TOKEN ffffd6866ca2e060 AuthenticationId
+0x018 AuthenticationId : _LUID
lkd> dt -b nt!_LUID ffffd6866ca2e060+0x018
+0x000 LowPart : 0x1c30b7
+0x004 HighPart : 0n0
lkd> dt nt!_TOKEN ffffd6866ca2e060 LogonSession
+0x0d8 LogonSession : 0xffffd686`6d90e2e0 _SEP_LOGON_SESSION_REFERENCES
lkd> dt nt!_SEP_LOGON_SESSION_REFERENCES ffffd6866ca2e060+0x0d8
+0x000 Next : 0xffffd686`6d90e2e0 _SEP_LOGON_SESSION_REFERENCES
+0x008 LogonId : _LUID
+0x010 BuddyLogonId : _LUID

lkd> dt nt!_LUID 0xffffd686`6d90e2e0+0x008
+0x000 LowPart : 0x1c30b7
+0x004 HighPart : 0n0
lkd> dt nt!_LUID 0xffffd686`6d90e2e0+0x010
+0x000 LowPart : 0x1c3091
+0x004 HighPart : 0n0

Tracking logon sessions

An abstract example

A concrete example

search in (DeviceProcessEvents, DeviceEvents, DeviceLogonEvents)
LogonId == "3035479" or InitiatingProcessLogonId == "3035479"
| extend PipeName= extractjson("$.PipeName", AdditionalFields)
| extend ServiceName= extractjson("$.ServiceName", AdditionalFields)
| extend ServiceType= extractjson("$.ServiceType", AdditionalFields)
| summarize by Timestamp, DeviceName, ActionType, InitiatingProcessLogonId, LogonId, FileName, ProcessCommandLine, PipeName, ServiceName, ServiceType

Collecting logon session data

PS C:\Users\TestUser> C:\Tools\SysinternalsSuite\logonsessions.exeLogonSessions v1.41 - Lists logon session information
Copyright (C) 2004-2020 Mark Russinovich
Sysinternals - www.sysinternals.com
[0] Logon session 00000000:000003e7:
User name: WORKGROUP\DESKTOP-02SN8AH$
Auth package: NTLM
Logon type: (none)
Session: 0
Sid: S-1-5-18
Logon time: 5/21/2022 4:30:44 PM
Logon server:
DNS Domain:
UPN:
[1] Logon session 00000000:0000acab:
User name:
Auth package: NTLM
Logon type: (none)
Session: 0
Sid: (none)
Logon time: 5/21/2022 4:30:44 PM
Logon server:
DNS Domain:
UPN:
.....
[12] Logon session 00000000:00a30110:
User name: DESKTOP-02SN8AH\TestUser
Auth package: NTLM
Logon type: RemoteInteractive
Session: 2
Sid: S-1-5-21-3038318105-1090508391-2814755547-1001
Logon time: 5/22/2022 5:08:12 PM
Logon server: DESKTOP-02SN8AH
DNS Domain:
UPN:
[13] Logon session 00000000:03d954c6:
User name: DESKTOP-02SN8AH\TestUser
Auth package: NTLM
Logon type: Network
Session: 0
Sid: S-1-5-21-3038318105-1090508391-2814755547-1001
Logon time: 5/25/2022 5:54:34 AM
Logon server: DESKTOP-02SN8AH
DNS Domain:
UPN:
[14] Logon session 00000000:04742f65:
User name: DESKTOP-02SN8AH\TestUser
Auth package: NTLM
Logon type: Network
Session: 0
Sid: S-1-5-21-3038318105-1090508391-2814755547-1001
Logon time: 5/25/2022 12:27:07 PM
Logon server: DESKTOP-02SN8AH
DNS Domain:
UPN:

Window Security Events

Sysmon

Microsoft Defender for Endpoint (MDE)

Filling in the spaces between frames

Hat tip

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store