Why is important to know who is logged in the system?

There are several reasons why it is important to know who is logged into a system:

1. Security: Knowing who is logged into the system can help identify unauthorized access to the system and prevent potential security breaches.
2. Auditing: Keeping track of who is logged into the system can help with auditing and compliance, as it allows administrators to see who has accessed the system and when.
3. Resource Management: Knowing who is logged into the system can help with managing resources such as CPU and memory usage, as it allows administrators to see which users are actively using the system and potentially causing resource constraints.
4. Troubleshooting: In the event of an issue or error on the system, knowing who is logged in can help with troubleshooting and identifying the root cause of the problem.

Overall, knowing who is logged into the system is important for ensuring the security, integrity, and proper functioning of the system.

While at Cyber Competitions you get points by protecting the systems and also by knowing who is logged in the system.

Attackers are smart when it comes to start processes, services, disabling firewall rules, scheduling a script to run, allowing themselves to SSHing intpo the system and basically managing the system. Shut! I would probably add myself a whole bunch of users if I take over a system, that way I can create persistence.

To check which users have the ability to log into a system using PowerShell, you can use the following command:

Get-LocalUser

This will return a list of all local users on the system, including their user name, password status, and whether or not they are allowed to log in.

In Linux You can use the who command or the w command:

You can also use the following command to see which users have the “Allow log on locally” privilege:

Get-LocalGroupMember -Group "Remote Desktop Users"

This will return a list of users who are members of the “Remote Desktop Users” group, which has the “Allow log on locally” privilege.

Keep in mind that these commands will only work on local users and groups. If you want to check the logon permissions for domain users and groups, you will need to use different cmdlets such as Get-ADUser and Get-ADGroup.

To disable a user account using PowerShell, you can use the Disable-LocalUser cmdlet. Here’s an example of how to use it:

Disable-LocalUser -Name "Username"

This will disable the user account with the name “Username”. The cmdlet will return a message indicating whether the operation was successful or not.

You can also use the -Verbose switch to display more detailed information about the operation:

Disable-LocalUser -Name "Username" -Verbose

Keep in mind that disabling a user account will prevent the user from logging into the system, but it will not delete the user’s profile or personal files. To completely remove a user from the system, you will need to delete the user’s account using the Remove-LocalUser cmdlet or through the Computer Management window.

To disable a user account in Linux, you can use the usermod command with the -L option. This will lock the user’s account, preventing them from logging in.

For example, to disable the user account with the username “username”, you can run the following command:

sudo usermod -L username

Sometimes you might have to check logs or think out of the box to check what an user did. Depending on the situation and what you want to do, to view the history of commands that have been run in PowerShell, you can use the Get-History cmdlet. By default, this cmdlet will display the command history for the current session.

Get-History

On Linux the only thing that you have to do is type history

history

There is a lot of resources out there for administering a system, I am just scratching the surface here becuase this is only one thing out of many things.

Everything ties together, You find a process coming from a certain user, you might want to stop that process and then disable the user. More about processes and services in another post.

Here are a few resources for learning more about administering a system:

1. Microsoft’s TechNet Library: This is a comprehensive resource for technical documentation and resources related to Microsoft technologies, including Windows operating systems and server products. You can find a wide range of topics related to system administration, including installation, configuration, security, and maintenance.
2. Linux Documentation Project: This is a collaborative effort to provide documentation for the Linux operating system. It includes guides, tutorials, and other resources for learning about Linux system administration.
3. SANS Institute: The SANS Institute is a well-known provider of cybersecurity training and certification programs. They offer a variety of courses and resources related to system administration, including topics such as Linux, Windows, and networking.
4. Online forums and communities: There are many online forums and communities where you can ask questions and get advice from other system administrators. Some examples include the TechNet forums, LinuxQuestions.org, and ServerFault.
5. Books and online courses: There are many books and online courses available that can help you learn more about system administration. Some examples include “Linux Administration: A Beginner’s Guide” by Wale Soyinka, “Windows Server 2016 Unleashed” by Rand Morimoto, and “The Linux Command Line” by William Shotts.

This is all for now!

Peace!!