Session Information Gathering
Session information gathering is a technique commonly employed by various malware families such as Remote Access Trojans (RATs), Information Stealers, Keyloggers, and Command and Control (C2) frameworks. It typically forms part of the broader system information gathering phase during malware execution.
This technique involves collecting basic information about the active user session on the infected machine. At a minimum, this includes the current session username, but can also extend to session IDs, domain information, privileges (e.g., admin or standard user), and whether the session is interactive or remote (such as via RDP).
The primary purpose of this technique is to provide the malware operator with context about the environment in which the malware is running. Knowing who is currently logged in allows attackers to:
- Identify whether the current session belongs to a high-value target (e.g., an administrator).
- Differentiate between infected systems and user sessions.
- Adapt their tactics based on the user's role or privileges.
- Avoid detection or sandbox environments by identifying unexpected or default usernames.
Featured Windows APIs
Associated Code Snippets
| Id | Name | Language | Author | Published Date |
|---|---|---|---|---|
| 12 | Read Active Window Title |
 Delphi
|
DarkCoderSc | 1 day, 4 hours ago. |
| 11 | Get User Idle Time |
Delphi
|
DarkCoderSc | 1 day, 5 hours ago. |
| 7 | Get User SID |
Delphi
|
DarkCoderSc | 3 days, 1 hour ago. |
| 6 | Get Computer Name |
Delphi
|
DarkCoderSc | 3 days, 1 hour ago. |
| 5 | Get Current Windows User |
Delphi
|
DarkCoderSc | 3 days, 1 hour ago. |