Invoke-SessionHunter: Retrieve & display information about active user sessions on remote computers
Invoke-SessionHunter
Retrieve and display information about active user sessions on remote computers. No admin privileges are required.
The tool leverages the remote registry service to query the HKEY_USERS registry hive on the remote computers. It identifies and extracts Security Identifiers (SIDs) associated with active user sessions, and translates these into corresponding usernames, offering insights into who is currently logged in.
If the -CheckAdminAccess switch is provided, it will gather sessions by authenticating to targets where you have local admin access using Invoke-WMIRemoting (which most likely will retrieve more results)
It’s important to note that the remote registry service needs to be running on the remote computer for the tool to work effectively. In my tests, if the service is stopped but its Startup type is configured to “Automatic” or “Manual”, the service will start automatically on the target computer once queried (this is native behavior), and session information will be retrieved. If set to “Disabled” no session information can be retrieved from the target.
Usage
iex(new-object net.webclient).downloadstring(‘https://raw.githubusercontent.com/Leo4j/Invoke-SessionHunter/main/Invoke-SessionHunter.ps1’)
If run without parameters or switches it will retrieve active sessions for all computers in the current domain by querying the registry
Gather sessions by authenticating to targets where you have local admin access
You can optionally provide credentials in the following format
You can also use the -FailSafe switch, which will direct the tool to proceed if the target remote registry becomes unresponsive.
This works in combination with -Timeout | Default = 2, increasing for slower networks.
Invoke-SessionHunter -FailSafe
Invoke-SessionHunter -FailSafe -Timeout 5
Use the -Match switch to show only targets where you have admin access and a privileged user is logged in
All switches can be combined
Specify the target domain
Specify a comma-separated list of targets or the full path to a file containing a list of targets – one per line
Retrieve and display information about active user sessions on servers only
Retrieve and display information about active user sessions on workstations only
Show active session for the specified user only
Exclude localhost from the session retrieval
Return custom PSObjects instead of table-formatted results
Do not run a port scan to enumerate for alive hosts before trying to retrieve sessions
Note: if a host is not reachable it will hang for a while
Invoke-SessionHunter -NoPortScan
Source: https://github.com/Leo4j/
