Endpoint Analysis using Windows tool - net session
netsession is a Windows utility command prompt tool that is used to manage server computer connections. This displays information about all the sessions with the local computer.
From an incident response perspective, the ability to jump from one endpoint to another is part of the attack chain. This is called “living off the land“ because when an adversary traverses inside the organization, the goal is to acquire domain level compromise and this technique leaves breadcrumbs for us as a responder. It is important to see a record when the suspected patient successfully contacts another endpoint.
When netsession is executed from an endpoint in the domain, the connection history will be displayed.
Computer User name Client type Opens Idle time
\\BWESTON CHRISDR Windows 7 1 00:00:13
\\JAMESMC-01 Administrator Windows Vista 0 01:05:13