Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ghostpack/rubeus/llms.txt

Use this file to discover all available pages before exploring further.

The logonsession command queries the Windows LSA for metadata about one or more active logon sessions. For each session it prints the LUID, username, logon domain, SID, authentication package (e.g. Kerberos, NTLM, Negotiate), logon type (Interactive, Network, NewCredentials, etc.), session ID, logon time, logon server, DNS domain name, and UPN. Without elevation, Rubeus can only read information about the calling process’s own session. When running as SYSTEM or with SeDebugPrivilege, all sessions on the system are enumerable.

Flags

/current
flag
Explicitly request only the current logon session. This is the default behavior when Rubeus is not running in a high-integrity context.
/luid
string
Query a specific logon session by its LUID (hex or decimal). Use currentluid to find the LUID of any session of interest.
Without any flags and without elevation, logonsession automatically falls back to displaying only the current session. With elevation and no flags, it enumerates all sessions visible to the LSA.

Examples

Show the current session’s information

Returns session details for the logon session that owns the calling process.
Rubeus.exe logonsession /current
Example output:
[*] Action: Display current logon session information

    LUID          : 0x4571a2 (4550050)
    UserName      : jdoe
    LogonDomain   : CORP
    SID           : S-1-5-21-3623811015-3361044348-30300820-1013
    AuthPackage   : Kerberos
    LogonType     : Interactive (2)
    Session       : 1
    LogonTime     : 6/10/2024 9:14:02 AM
    LogonServer   : DC01
    DnsDomainName : corp.local
    Upn           : jdoe@corp.local

Show a specific session by LUID

Target any session whose LUID you already know — for example a session created with createnetonly.
Rubeus.exe logonsession /luid:0x4571a2

Enumerate all readable sessions

Running without flags in a high-integrity context lists every active session on the machine.
Rubeus.exe logonsession

Build docs developers (and LLMs) love