Windows.Sys.LoggedInUsers :: Velociraptor

Windows.Sys.LoggedInUsers
Get all currently logged in users via wmi.

name: Windows.Sys.LoggedInUsers
author: Zane Gittins
description: |
   Get all currently logged in users via wmi.

# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: CLIENT

parameters:
   - name: UserNameRegex
     default: .
     type: string
     description: Filter by username.
   - name: DomainRegex
     default: .
     type: string
     description: Filter by domain.
   - name: LogonTypeRegex
     default: .
     type: string
     description: Filter by logon type. For example, 10 for remote.

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
     // Helper functions
     LET _X(X) = parse_string_with_regex(regex="(^.+)(-\\d+)$", string=X)
     LET NormalizeTime(X) = format(
         format="%s%03g00",
         args=[_X(X=X).g1, int(int=_X(X=X).g2) / 60])
     LET ParseTime(X) = timestamp(
         string=NormalizeTime(X=X),
         format="20060102150405.999999-0700")
     LET ExtractDomain(X) = parse_string_with_regex(
         string=X,
         regex=['Domain=\\"(.*?)\\"']).g1
     LET ExtractLogonName(X) = parse_string_with_regex(
         string=X,
         regex=['Name=\\"(.*)\\"']).g1
     LET ExtractLogonID(X) = parse_string_with_regex(
         string=X,
         regex=['LogonId=\\"([0-9]+)\\"']).g1
     LET FormatTime(Time) = timestamp(
         string=regex_replace(source=Time, replace="-0", re="-"),
         format=TimeFormat)
     LET CurrentlyLoggedIn <= SELECT ExtractDomain(X=Antecedent) AS Domain,
                                     ExtractLogonName(X=Antecedent) AS LogonName,
                                     ExtractLogonID(X=Dependent) AS CurrentLogonId
       FROM wmi(query="SELECT * FROM win32_loggedonuser", namespace="ROOT/CIMV2")
       WHERE LogonName =~ UserNameRegex
     // WMI Queries
     LET Sessions <= SELECT *
       FROM wmi(query="SELECT * FROM Win32_LogonSession", namespace="ROOT/CIMV2")
     LET Processes <= SELECT 
                             ExtractLogonID(X=Antecedent) AS LogonID,
                             count() AS ProcessCount
       FROM wmi(query="SELECT * from Win32_SessionProcess", namespace="ROOT/CIMV2")
       GROUP BY LogonID
     LET CurrentSessions = SELECT *, {
                                    SELECT *
                                    FROM CurrentlyLoggedIn
                                    WHERE LogonID = CurrentLogonId
                                     AND Domain =~ DomainRegex
                                          AND LogonType =~ LogonTypeRegex
                                  } AS LoginInfo,
                                  {
                                    SELECT *
                                    FROM Sessions
                                    WHERE LogonID = LogonId
                                  } AS SessionInfo
       FROM Processes
     // Final query 
     SELECT 
            ParseTime(X=SessionInfo.StartTime) AS Timestamp,
            LoginInfo.LogonName AS LogonName,
            LoginInfo.Domain AS Domain,
            ProcessCount,
            SessionInfo.LogonType AS LogonType,
            SessionInfo.LogonId AS LogonID,
            SessionInfo.AuthenticationPackage AS AuthenticationPackage
     FROM CurrentSessions
     WHERE LogonName =~ UserNameRegex
      AND Domain =~ DomainRegex
           AND LogonType =~ LogonTypeRegex
     ORDER BY Timestamp DESC